Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan uploads folder #9

Open
swissspidy opened this issue Sep 7, 2015 · 0 comments
Open

Scan uploads folder #9

swissspidy opened this issue Sep 7, 2015 · 0 comments
Labels
enhancement

Comments

@swissspidy
Copy link
Contributor

With the Gravity Forms vulnerability earlier this year, we were made aware once more that malware can also be uploaded to wp-content/uploads, mostly as .php or .php.bak files.

If it's easily doable, we should detect such files too and perhaps even disable PHP parsing using .htaccess, like GF nowadays does:

# Disable parsing of PHP for some server configurations. This file may be removed or modified on certain server configurations by using by the gform_upload_root_htaccess_rules filter. Please consult your system administrator before removing this file.
<Files *>
  SetHandler none
  SetHandler default-handler
  Options -ExecCGI
  RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>

At least we should recommend doing that.
@swissspidy swissspidy modified the milestone: 1.5.0 Jul 12, 2016
@stklcode stklcode modified the milestones: 1.5.0, 1.6.0 May 28, 2021
@Zodiac1978 Zodiac1978 removed this from the 1.6.0 milestone Nov 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@swissspidy @Zodiac1978 @stklcode