Prevent use of PHP include with image files

2 Views

I recently had a WordPress site that contained malware code saved as a PNG file, but pulled into my template file via @include_once('images/sidebar2.png'); which then gets interpreted as PHP.

I’ve been trying (unsuccessfully) to figure out a way to prevent this activity. I can block PHP execution in a folder, but that doesn’t help this scenario. I can also force the MIME type, but that also doesn’t do it.

Read More

It is possible to restrict PHP includes to .php files only? Any other ideas?

Post Views: 2

Related posts

Leave a Reply

1 comment

  1. Just a shot from the hip : Replace all your include_once references in your template with include_once_secure and 

    function include_once_secure($fileName) {
    if (strtolower(pathinfo($fileName, PATHINFO_EXTENSION))=='php') {
        include_once($fileName);
    } else {
        //here you could throw an error or exception
    }
}