wildzero
asked on
Possible exploit - folder 777
Hi =)
I have a script that loads files from a templates folder which I have set to 777 as you can modify the templates with the script. However my host has said that being 777 it gets open to exploits....
what do you do?
I have a script that loads files from a templates folder which I have set to 777 as you can modify the templates with the script. However my host has said that being 777 it gets open to exploits....
what do you do?
The directory permissions are too wide for your requirement.
For example, you are using "7" which is READ + WRITE + EXECUTE FOR ALL. You dont need any of your scripts to have EXECUTE permissions on the directory. If they *do* require EXECUTE, then the scripts need to be changed so that they dont need to 'cd' into that directory. You should be able to start with a minimum of 766 which means:
OWNER: READ + WRITE + EXECUTE
GROUP: READ + WRITE
WORLD: READ + WRITE
You should also put a "htaccass" file in the directory so that anybody who attempts to use the directory as a URL and read ALL your templates will be offered a username/password dialog, and be refused access.
You should take a good look at your scripts and the architecture you have and try to find the best code and minimum permissions required to make your application work. One good method is to change the owner of the directory and the templates to be the same as the web server process, and lock the permissions down to 700 for the directory and 400 for the files. This would be my preferred approach, but it depends on the configuration/setup of your host server.
For example, you are using "7" which is READ + WRITE + EXECUTE FOR ALL. You dont need any of your scripts to have EXECUTE permissions on the directory. If they *do* require EXECUTE, then the scripts need to be changed so that they dont need to 'cd' into that directory. You should be able to start with a minimum of 766 which means:
OWNER: READ + WRITE + EXECUTE
GROUP: READ + WRITE
WORLD: READ + WRITE
You should also put a "htaccass" file in the directory so that anybody who attempts to use the directory as a URL and read ALL your templates will be offered a username/password dialog, and be refused access.
You should take a good look at your scripts and the architecture you have and try to find the best code and minimum permissions required to make your application work. One good method is to change the owner of the directory and the templates to be the same as the web server process, and lock the permissions down to 700 for the directory and 400 for the files. This would be my preferred approach, but it depends on the configuration/setup of your host server.
ASKER
Ah some good tips there - points upped as they will be split at the end of this.
>> If they *do* require EXECUTE, then the scripts need to be changed so that they dont need to 'cd' into that directory. You >>should be able to start with a minimum of 766 which means
Normally the templates are located in another folder, ie templates/ so I guess the script would need to cd into that directory.
>>You should also put a "htaccass" file in the directory so that anybody who attempts to use the directory as a URL and read >>ALL your templates will be offered a username/password dialog, and be refused access.
Excellent suggestion, never thought of that, as the script is just called it via fileserver (ie, fileopen('templates/somthi
>>save templates into database
I can see how that would be ok if it was just for myself, however if I was giving the script away - sure the users could do it but it's another step for them to do (setting up a db) where as just providing template files is 10% easier.
>>ask Your host to impove php security (like suPHP)
As above...
Thanks for the comments guys, points upped.
>> If they *do* require EXECUTE, then the scripts need to be changed so that they dont need to 'cd' into that directory. You >>should be able to start with a minimum of 766 which means
Normally the templates are located in another folder, ie templates/ so I guess the script would need to cd into that directory.
>>You should also put a "htaccass" file in the directory so that anybody who attempts to use the directory as a URL and read >>ALL your templates will be offered a username/password dialog, and be refused access.
Excellent suggestion, never thought of that, as the script is just called it via fileserver (ie, fileopen('templates/somthi
>>save templates into database
I can see how that would be ok if it was just for myself, however if I was giving the script away - sure the users could do it but it's another step for them to do (setting up a db) where as just providing template files is 10% easier.
>>ask Your host to impove php security (like suPHP)
As above...
Thanks for the comments guys, points upped.
1) The script does not need to 'cd' into the directory, you only need to refer to the files with the directory in the path, for example:
templates/001.tpl
When you do this, your script does not need EXECUTE permissions.
2) If you are giving the script away, you can provide an installation script that is run through the browser. That script would create the templates directory, and explode some zipfile of templates into the folder. The advantage of this is that the directory and the files are created by the web server user, so they are accessible by the runtime php environment, *and* the directory and files can be permissioned as 755 & 644 respectively. This is a common approach. Note that can create an htaccess file during this process with the user prompted for the user/pass that they want to protect the folder with - this is a double layer of protection.
Oh, and this is a typical problem, and not a sign of weak host security. If your server is configured with very tight security permissions that do not allow you to have a directory that is 777, then some applications/frameworks will not work on your system. There is no reason why 777 should *never* be used, although it should be used only in well managed circumstances.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
interesting point on file_get_contents. I've never made much use of it as I was 'brought up' on fopen, and file_get_contents only appeared in PHP 4.3.x... and obv hosts don't upgrade things like PHP that quickly. ;)
it's not actually clear in any of the docs whether the memory mapping is done at the fopen level or whether file_get_contents is doing something special (maybe setting a low-level flag, THEN calling through to fopen, then resetting flag...). I'll have to go mod my various code, see if it makes a difference. Obviously makes things cleaner! But for a classical programmer, I'm so used to fopen-style coding -- since I open the file rw, read it, do some stuff, write it, close it. I don't know if that's slower than file_get_contents, modify, file_put_contents... hmm.
Good thoughts here!
-d
it's not actually clear in any of the docs whether the memory mapping is done at the fopen level or whether file_get_contents is doing something special (maybe setting a low-level flag, THEN calling through to fopen, then resetting flag...). I'll have to go mod my various code, see if it makes a difference. Obviously makes things cleaner! But for a classical programmer, I'm so used to fopen-style coding -- since I open the file rw, read it, do some stuff, write it, close it. I don't know if that's slower than file_get_contents, modify, file_put_contents... hmm.
Good thoughts here!
-d
(oh, and I just realized file_get_contents arguably is only useful for raw string data, and not binaries... and _put is only in PHP5... ah well... )
ASKER
Lots of good opinions here.
Sound like making the templates folder via the script, unzipping the templates to that directory along with htaccess and an index.php would be the best solution.
So my next question (mabye I should put in another question)
Whats the best way to
* Give the user a zip file ie templates.zip
* Run some php which unzips the templates.zip and puts them into a templates folder.
Anyone have an article on that?
Points upped
Sound like making the templates folder via the script, unzipping the templates to that directory along with htaccess and an index.php would be the best solution.
So my next question (mabye I should put in another question)
Whats the best way to
* Give the user a zip file ie templates.zip
* Run some php which unzips the templates.zip and puts them into a templates folder.
Anyone have an article on that?
Points upped
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
davebytes - yes that is how I usually do it as well, but looks like there are more secure ways of doing it...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Points upped again,
Thanks for that siliconbrit - it does seem that having the zips is easier and it also helps with the file permissions it seems.
Any more comments?
Thanks for that siliconbrit - it does seem that having the zips is easier and it also helps with the file permissions it seems.
Any more comments?
having zip files doesn't help with file permissions in the slightest...
I guess I've worked on so much stuff that needed some hand tweaking, I've never looked at Joomla -- I'll have to see what they do. It's been discussed in WordPress circles that zipfiles might be handy for distribution of extra modules, and I've seen some other CMS products that do things that way, but seems few and far between. Not sure if that's just a mindset issue, historical problems with unzipping, historical problems with permissions running as apache, etc.
From my 'other life', I've been using 'packed' files for distribution for well over a decade. My old game engine used a packed but not compressed format, and certainly quake/et.al. have used pak/zip formats for content for many years... so it's far from alien, just not 'used' to it in my web development world. ;)
-d
I guess I've worked on so much stuff that needed some hand tweaking, I've never looked at Joomla -- I'll have to see what they do. It's been discussed in WordPress circles that zipfiles might be handy for distribution of extra modules, and I've seen some other CMS products that do things that way, but seems few and far between. Not sure if that's just a mindset issue, historical problems with unzipping, historical problems with permissions running as apache, etc.
From my 'other life', I've been using 'packed' files for distribution for well over a decade. My old game engine used a packed but not compressed format, and certainly quake/et.al. have used pak/zip formats for content for many years... so it's far from alien, just not 'used' to it in my web development world. ;)
-d
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
=) awesome info guys
points upped one final time
points upped one final time
save templates into database
ask Your host to impove php security (like suPHP)