Seems default setting in apache is not safe
which will run a.php.mht as php. hackers can find a way to upload a none-php file such as use buggy forum software and gain control of the hosting account.
change the setting to something like this can solve the problem.
What do you guys think? is this enough or there is a better way?
Code:
<IfModule mod_php4.c>
AddType application/x-httpd-php .inc .php .php4 .php3 .phtml
AddType application/x-httpd-php-source .phps
</IfModule>
<IfModule mod_php3.c>
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source .phps
</IfModule>
<IfModule mod_php.c>
AddType application/x-httpd-php .phtml
</IfModule>which will run a.php.mht as php. hackers can find a way to upload a none-php file such as use buggy forum software and gain control of the hosting account.
change the setting to something like this can solve the problem.
Code:
<IfModule mod_php4.c>
<FilesMatch "\.(php|inc|php4|php3|phtml)$">
AddType application/x-httpd-php .inc .php .php4 .php3 .phtml
AddType application/x-httpd-php-source .phps
</FilesMatch>
</IfModule>
<IfModule mod_php3.c>
<FilesMatch "\.(php3)$">
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source .phps
</FilesMatch>
</IfModule>
<IfModule mod_php.c>
<FilesMatch "\.(phtml)$">
AddType application/x-httpd-php .phtml
</FilesMatch>
</IfModule>What do you guys think? is this enough or there is a better way?
Last edited: