1

I use a .htaccess file in my images directory to block scripts from running. I exclude .php .cgi and so on. But some malware is disguised by naming them with an image extension. I did not previously add various image extensions fearing it could prevent images from displaying on site pages.

  1. would adding image extensions prevent any malware with an image extension from being executed?

  2. would adding extensions to the .htaccess impact the normal loading of an image as asset into content pages?

  3. Could I place limit in the /root .htaccess file to prevent running anything with image extensions as a script to protect entire site from this kind of exploit without causing issues with proper display of images? (obviously not including any actual scripts that are required to run)

example:

<Files .htaccess>
order allow,deny
deny from all
</Files>

Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

## No directory listings
<IfModule autoindex>
  IndexIgnore *
</IfModule>

## Suppress mime type detection in browsers for unknown types
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
schroeder
  • 123,438
  • 55
  • 284
  • 319
paulkruger
  • 11
  • 1
  • I would suggest that any attempt here can be easily foiled by malware. You're going to be better off trying to keep malware off your server than to try to prevent it being displayed to users if it gets on there. – bk2204 Jan 01 '21 at 20:28

0 Answers0