← Back to Baseline

MB-R091

No executable code in media or upload paths

C01 File & Folder Permissions Critical

Public upload and media directories must not contain executable PHP, PHTML, or server-side scripts. Attackers frequently abuse upload flaws to plant web shells, which can lead to payment-page skimming or full store compromise. Enforce web server execution blocking and scan writable public paths for suspicious executable artifacts.

Why it Matters

Magento media and upload paths are often writable by the application and publicly reachable. If PHP, PHTML, or other executable server-side files can run from these directories, an upload flaw can become remote code execution.

Blocking execution in writable public paths reduces the chance that an attacker can plant a web shell and use it to modify checkout, steal secrets, or skim payment pages.

Verification Steps

File scan

find pub/media var -type f \( -iname "*.php" -o -iname "*.phtml" -o -iname "*.phar" \) 2>/dev/null

Web server config check

# Nginx/Apache should deny PHP execution in pub/media and upload directories

Remediation / Fix Guidance

  1. Remove executable files from media and upload directories after confirming they are not legitimate.
  2. Configure the web server to deny PHP/PHTML execution in writable public paths.
  3. Validate upload handlers with extension allowlists and MIME checks.
  4. Store risky uploads outside webroot where possible.
  5. Monitor writable paths for new executable files.

Examples

Fail Example
pub/media/catalog/tmp/shell.php
# PHP file present in public upload path → FAIL
Pass Example
location ~* ^/media/.*\.php$ { deny all; }
# Execution blocked → PASS

References