PHP is a widely used and often misconfigured server-side scripting language. If you or one of your web-app written in PHP are not using file uploads then you can turn it off by editing the php.ini file. Crackers (or attackers) will try to upload malicious script into your web apps for spam, fraud and other malicious activities.
Step #1: Find php.ini
To find the php.ini path, enter:
php -i | grep --color 'php.ini'
On my CentOS based system php.ini is located in /etc/ directory.
Step #2: Edit /etc/php.ini
Edit the file /etc/php.ini, type:
# vi /etc/php.ini
Make the following changes to /etc/php.ini:
# Disallow uploading altogether this makes moving or injecting bad scripts/code onto your web server more difficult file_uploads = Off # Disallow treatment of file requests as fopen calls allow_url_fopen = Off allow_url_include = Off
Save and close the file. Restart or reload the Apache web-server
# service httpd restart
# service httpd reload
If you are using Nginx, restart the nginx web-server, type:
# nginx -s reload
If you are using Lighttpd, restart the lighttpd web-server, type:
# /etc/init.d/lighttpd restart
See hardening and securing PHP article – twenty-five php security best practices for sysadmins for configuring PHP securely.