The title is a bit large, when we analyze carefully after, in fact, are generally configuration issues.
If someone wants to attack the server, it will scan the machine where there is vulnerability can upload a malicious script file, the upload script is the first step,
When a malicious php script is uploaded to the server(its suffix may be php, may also be disguised as a jpg or other suffix),
If the script can be parsed to perform, that think the attacker can do whatever they want.
That from the source up to avoid this problem can be from the following aspects to start:
Before upload it should determine the file is not a php script file, if it is not allowed to upload(including camouflage suffix).
After the upload you should upload the attachment file separately in a server, the machine only do a static analysis, you don't have a problem.
The first article requires written procedures to ensure that, to say nothing of the most simple to determine the file suffix to a file determine the file type, or complex, we can go online to find.
The second strip solution may hinder the limited resources, it is not good to do. What if not only one machine, then, is not only a human platter., I fish.
In fact also can be configured from up to avoid,
Ban ngingx parses the Upload Directory of the php file.
location ~ ^/upload/.\. (php|php5)($|/)
Avoid camouflage other suffix of the script execution
For example: by some means upload the disguised file, the upload 下 存在 一 个 伪装 成 图片 的 php 脚本 a.jpg,
Then when using the http://www. nginx. cn/upload/a. jpg/b. php access,
If you do not do special settings passed to the CGI execution SCRIPT_FILENAME is$root/upload/a.jpg/b.php