I saw some people using this code in the “.htaccess” file to disable script execution:
<Files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi|\.spc|\.jsp|\.cfm|\.passwd)$">
order deny,allow
deny from all
</Files>This code is not secure, and can be bypassed by uploading a “testpage.PhP” file as an example.
This code has a case sensitive regular expression.
Note: <FilesMatch> is similar to <Files> with this problem
One solution:
# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGIUseful links:
http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess.html
http://blog.differentpixel.com/archives/198-Lots-of-.htaccess-tips,-tricks-and-hacks.html
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/