Question 290668 in PHP Versions Question posted in
You can find a list of all versions here.

Php versions – How to allow file upload only for specific IP addresses of a php website

Someone contacted me after their Linux, Apache2, MySQL, PHP website experienced a phishing attack. I logged onto their server, added a firewall, deleted all phishing files, and I set file_uploads = Off in the /etc/php/8.1/apache2/php.ini file.

The website has a lot of pages that allow you to upload files. Is there a way for me to allow users from just one or two specific IP addresses to still use these pages to upload content? I read that I can’t use if(<valid ip address>) ini_set('file_uploads', 'On'); in the latest versions of PHP. Are there other approaches for me to consider?

Background

From what I can tell, the reason their site got attacked was because they have a lot of HTML forms that allow you to upload attachments. There is no form validation or content sanitization at all. This explains why I saw files like danger.zip and unzip.php on the server, where by the danger.zip contains a bunch of viruses and phishing material and unzip.php is a webpage that performs the operation unzip(danger.zip);.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    OK, this is my current solution. I'm not going to press Accept on my own answer until enough people tell me ways to improve it. Or maybe someone can give a better answer.

    Assume the following:

    • 1.1.1.1 is the IP address of a Content Admin who wants to work with the CMS on the website
    • 2.2.2.2 is the IP address of the server hosting the website and the CMS.
    • https://my-application.com is the website the public sees. No one can upload files because file_uploads = Off in the /etc/php/8.1/apache2/php.ini file. This website is served out of the directory /var/www/my-application on the server with IP 2.2.2.2.
    • https://supersecretwebsite.com is a url that a developer and the Content Admin has agreed upon to keep as a secret url that no one should know about.

    Step 1 - On the server 2.2.2.2, I create a file called /etc/apache2/sites-available/supersecretwebsite.com.conf with the following contents:

    <VirtualHost *:443>
    ServerName supersecretwebsite.com
    # The production website is also hosted out of this DocumentRoot
    DocumentRoot /var/www/my-application

    # ... other options ...

    # allow file upload just for this vhost
    php_admin_value file_uploads 1
    <Location />
       Order deny,allow
       Deny from all
       # only the content admin's IP address can visit this website
       Allow from 1.1.1.1
    </Location>
</VirtualHost>

    Then I run the command a2ensite supersecretwebsite.com.conf && systemctl restart apache2.

    Step 2 - The Content Admin most go to his Windows Laptop and open up the file C:WindowsSystem32driversetchosts and add the entry 2.2.2.2 supersecretwebsite.com.

    Step 3 - Content Admin person can uplaod files while visiting https://supersecretwebsite.com but not when visiting https://my-application.com


  2. 0

    I would use .htaccess or Apache’s main configuration files to restrict access to the upload pages based on IP address if you know

    <Files "upload.php">
    Order Deny,Allow
    Deny from all
    Allow from 123.456.789.000
    Allow from 987.654.321.000
</Files>

    Also, you can update your header.php or whichever your upload file to check if the IPs to allow.

    $allowed_ips = ['123.456.789.000', '987.654.321.000'];
if (!in_array($_SERVER['REMOTE_ADDR'], $allowed_ips)) {
    die("You are not allowed to upload files.");
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search