Rock solid solution is to separate htdocs (a folder that is accessible via web) from the code folder (the one with scripts). I do not know how that could be done with PHP (I believe you can serve static files with nginx and run php as FPM connected to the nginx with FastCGI) but in Python world we have separate process (uwsgi or gunicorn) that is connected to the nginx and it runs under the different user. All user files are uploaded to the folder accessible by nginx, far away from the folder with python scripts. Even if you upload a .py file, nginx will serve it as a static plain text file.
On Tue, Oct 20, 2020 at 1:27 AM Demi M. Obenour <demioben...@gmail.com> wrote: > On 10/19/20 3:29 PM, Jaroslaw Rafa wrote: > > Dnia 19.10.2020 o godz. 21:12:20 John Fawcett pisze: > >> Sorry not to be able to give a definitive answer. Typical mail injection > >> via php will use a script that already calls the php mail function or > >> similar functions that open the smtp connection. But there are other > >> attack vectors that are possible that allow hackers to gain the > >> privileges of the web server user. > > > > Very often hackers abuse web pages that allow users to upload files to > the > > web server. If the input is not correctly sanitized, it may be possible > to > > upload an arbitrary php script and get it executed. > > > > There were multiple attacks based on this scenario. > > Can this be mitigated by denying the PHP user write permission on > any directory where PHP files will be executed? > > Demi > >
