Blog

03/06/2019

Apache / Nginx / Lighttpd: PHP Disable File Upload



I am in the process of setting Apache and PHP for my small business server. I’m not utilizing file upload functionality in any of my PHP scripts. How do I disallow uploading files under CentOS or Ubuntu Linux based LAMP server?

PHP is a widely used and often misconfigured server-side scripting language. If you or one of your web-app written in PHP are not using file uploads then you can turn it off by editing the php.ini file. Crackers (or attackers) will try to upload malicious script into your web apps for spam, fraud and other malicious activities.

Step #1: Find php.ini

To find the php.ini path, enter:

php -i | grep --color 'php.ini'

Sample outputs:

Fig.01: Finding php.ini path under Unix like operating systems

On my CentOS based system php.ini is located in /etc/ directory.

Step #2: Edit /etc/php.ini

Edit the file /etc/php.ini, type:
# vi /etc/php.ini
Make the following changes to /etc/php.ini:

# Disallow uploading altogether this makes moving or injecting bad scripts/code onto your web server more difficult
file_uploads = Off
 
# Disallow treatment of file requests as fopen calls 
allow_url_fopen = Off
allow_url_include = Off

Save and close the file. Restart or reload the Apache web-server
# service httpd restart
OR
# service httpd reload
If you are using Nginx, restart the nginx web-server, type:
# nginx -s reload
If you are using Lighttpd, restart the lighttpd web-server, type:
# /etc/init.d/lighttpd restart

See also

See hardening and securing PHP article – twenty-five php security best practices for sysadmins for configuring PHP securely.

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

20/08/2019

Start your Bitcoin Exchange with our Software

Start your Bitcoin Exchange with our Software Setup your white label bitcoin exchange right away. Or create your own cryptocurrency using...
14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....