We have all been in this situation where certain folders require full read/write access by the web server.Unfortunately, if the script utilizing the world writeable folder is insecure; it may allow external users to upload malicious content to folders CHMOD 777. Though this issue can typically be mitigated by using suPHP and Apache which will run each PHP process under the user executing the file. However, in some instances using suPHP may not be an option.
The following lines can be added to .htaccess in the folder which requires 777 (rwx-rwx-rwx). Note, the example below blocks access HTTP files in that folder directly through GET/POST, but does not prevent using “include” functions within a script to parse the files:
Options All -Indexes
<FilesMatch “\.(php*|cgi|c|txt|s?p?htm*|pl|exe)$”>
Order Deny,Allow
Deny from all
</FilesMatch>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
The example above blocks calling the following extensions through HTTP: .php/.cgi/.c/.txt/.phtml/.shtml/.html/.htm/.pl/.exe
The line next to it for LIMIT PUT DELETE will prevent executing upload calls and delete calls on the virtual folder through HTTP