1

This is my virtual host configuration file

<VirtualHost *:80>
    ServerAdmin yo@my-domain.tld

    ServerName my-domain.tld
    ServerAlias www.my-domain.tld

    DocumentRoot /home/my-domain/public_html
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /home/my-domain/public_html>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined 
</VirtualHost>

and I'd like to disable script execution in /home/my-domain/public_html/uploads folder using .htaccess; already tried with

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

then

AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi .js

then

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
order deny,allow
deny from all
</Files>

and every other directive I found around but none of them can prevent script execution.

apachectl -t -D DUMP_MODULES says that mime_module is enabled and loaded

php_flag engine off is the only directive stopping a php file from executing but what about other types; and why the other apache directives won't work. any idea... ?

hex494D49
  • 9,109
  • 3
  • 38
  • 47
  • 1
    Could be wrong here but I'll ask anyway: would changing your execute permissions on the directory not do the trick? – A.M. D. Nov 16 '12 at 11:04
  • It already has execute permission. Thanks anyway. – hex494D49 Nov 16 '12 at 16:34
  • I thought you wanted to disable script execution, wouldn't turning off script execution do exactly what you're trying to do in your .htaccess? Sorry if I'm missing something :-) – A.M. D. Nov 16 '12 at 16:38
  • I see your point but if the directory hasn't execute permission it won't be accessible by Apache at all. Just tried it. – hex494D49 Nov 16 '12 at 16:48
  • If you omit execution permission Apache will greet you with a 'Forbidden - 403' message :) and it won't be able to even read/write in that directory. In other words I need that directory to be writable but I'd like to prevent script execution in case someone uploads any malicious script/code. – hex494D49 Nov 16 '12 at 16:59

1 Answers1

2

set: AllowOverride None in all directory

Marcus Matos
  • 36
  • 1