?
Solved

Possible exploit - folder 777

Posted on 2006-03-27
19
Medium Priority
?
936 Views
Last Modified: 2010-07-27
Hi =)

I have a script that loads files from a templates folder which I have set to 777 as you can modify the templates with the script. However my host has said that being 777 it gets open to exploits....
what do you do?
0
Comment
Question by:wildzero
  • 7
  • 6
  • 5
  • +1
19 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 16298645
> what do you do?
save templates into database
ask Your host to impove php security (like suPHP)
0
 
LVL 11

Expert Comment

by:siliconbrit
ID: 16298961
The directory permissions are too wide for your requirement.  

For example, you are using "7" which is READ + WRITE + EXECUTE FOR ALL.  You dont need any of your scripts to have EXECUTE permissions on the directory.  If they *do* require EXECUTE, then the scripts need to be changed so that they dont need to 'cd' into that directory.  You should be able to start with a minimum of 766 which means:

   OWNER: READ + WRITE + EXECUTE
   GROUP: READ + WRITE
   WORLD: READ + WRITE

You should also put a "htaccass" file in the directory so that anybody who attempts to use the directory as a URL and read ALL your templates will be offered a username/password dialog, and be refused access.

You should take a good look at your scripts and the architecture you have and try to find the best code and minimum permissions required to make your application work.  One good method is to change the owner of the directory and the templates to be the same as the web server process, and lock the permissions down to 700 for the directory and 400 for the files.  This would be my preferred approach, but it depends on the configuration/setup of your host server.

0
 
LVL 10

Author Comment

by:wildzero
ID: 16299309
Ah some good tips there - points upped as they will be split at the end of this.

>>  If they *do* require EXECUTE, then the scripts need to be changed so that they dont need to 'cd' into that directory.  You >>should be able to start with a minimum of 766 which means

Normally the templates are located in another folder, ie templates/ so I guess the script would need to cd into that directory.

>>You should also put a "htaccass" file in the directory so that anybody who attempts to use the directory as a URL and read >>ALL your templates will be offered a username/password dialog, and be refused access.

Excellent suggestion, never thought of that, as the script is just called it via fileserver (ie, fileopen('templates/somthing.html') then that's not handled by apache so therefore ignores the htaccess, however anyuser trying to access the folder would be denied.

>>save templates into database
I can see how that would be ok if it was just for myself, however if I was giving the script away - sure the users could do it but it's another step for them to do (setting up a db) where as just providing template files is 10% easier.

>>ask Your host to impove php security (like suPHP)
As above...

Thanks for the comments guys, points upped.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 11

Expert Comment

by:siliconbrit
ID: 16299540

1) The script does not need to 'cd' into the directory, you only need to refer to the files with the directory in the path, for example:

      templates/001.tpl

   When you do this, your script does not need EXECUTE permissions.


2) If you are giving the script away, you can provide an installation script that is run through the browser.  That script would create the templates directory, and explode some zipfile of templates into the folder.  The advantage of this is that the directory and the files are created by the web server user, so they are accessible by the runtime php environment, *and* the directory and files can be permissioned as 755 & 644 respectively.  This is a common approach.  Note that can create an htaccess file during this process with the user prompted for the user/pass that they want to protect the folder with - this is a double layer of protection.
   
0
 
LVL 11

Expert Comment

by:siliconbrit
ID: 16299559

Oh, and this is a typical problem, and not a sign of weak host security.  If your server is configured with very tight security permissions that do not allow you to have a directory that is 777, then some applications/frameworks will not work on your system.  There is no reason why 777 should *never* be used, although it should be used only in well managed circumstances.

0
 
LVL 17

Assisted Solution

by:davebytes
davebytes earned 600 total points
ID: 16302021
>>>
Normally the templates are located in another folder, ie templates/ so I guess the script would need to cd into that directory.
<<<

There's no 'cd' in a PHP script.  you are either doing an include('templates/somefile.htm') when live-loading the content, or an fopen('templates/somefile.htm', 'rw') if opening for reading and writing (i.e., editing).

There are lots of permission issues across hosts.  You can attempt to change permissions from your script, but it won't always work -- so make sure your documentation instructs a user at a basic level what they might need to change.

755 for folders and 644 for files should be 'good enough' for properly-configured hosts -- those which run apache/php as YOUR user.  However, for a badly configured host, you might find you need 775/664 access as 'nobody' or 'apache' or some such user is running apache/php.


>>>
Excellent suggestion, never thought of that, as the script is just called it via fileserver (ie, fileopen('templates/somthing.html') then that's not handled by apache so therefore ignores the htaccess, however anyuser trying to access the folder would be denied.
<<<

FYI, htaccess is not always set up (or set up properly) on many cheapo shared hosts -- some have it pretty screwy (like no htaccess, or only in your root, and only certain commands...).  You are better off adding a line or two to the top of each file to check if it's being directly-loaded by the browser, and if so die immediately.

-d
0
 
LVL 11

Accepted Solution

by:
siliconbrit earned 1400 total points
ID: 16302931
Dave,

I have some comments on your notes - please note that I just want to make sure people have the correct information, I respect your work/answers and have even used a couple of your PHP library scripts from time to time.  So, no criticism of you, just comments that clarify points you have raised.

(1) "There's no 'cd' in a PHP script"

There *is* a cd in a PHP script, take a look at the details at [http://www.php.net/chdir].

Note that I am not suggesting that wildzero actually *is* doing a 'cd', just that he doesn't need to.  I have no knowledge of the scripts that he has written.  The important thing to note is that you do not need EXECUTE permissions on a directory to read a file from within it.  So for example, if you 'include' a file from a directory, then that directory and the file only needs to have READ (4) permissions available for the user under which the web server process is run.  In most cases the web server process is run by a user that is not in the same group as the user who owns the files, so it must be world permissions that need to be available:  744 will work on a directory you need access to, 644 on readable files, and 666 on writeable files.

By giving 666 to a writeable files, this does not mean that somebody can edit the file from the internet in any way that is not managed by your script.  What it does mean is that anyone with access to the same hosting network as you can modify the files.  So you *do* have the added protection of the security around the hosting server itself.  However 777 should not be set on a directory, since this makes the directory (which is a file itself) executable and editable.  It is possible to inject information into a directory file that will compromise the security of a unix server.


(2) "you are either doing an include(...) ... or an fopen(...)

There are lots more ways to open a file than with include() or fopen(), so your assumption is pretty tight if you dont mind me saying so ;-)


(3) "You can attempt to change permissions from your script, but it won't always work "

As you know, the ability to change the permissions on a file created at runtime is affected by the permissions of the file or directory you are creating and the ownership/permission on the directory in which it is created.  The method I describe for installing files that are to be delivered at runtime is quite common (some major PHP products use this technique), and works around the problems that windzero is facing for a pcakcged product.

The principle is that during installation, the user creates a directory manually with world writeable permissions, then runs the installation script.  During installation, files/directories might be created which are then used for files which might be modified at runtime in the future.  The installation process creates these files/directories as the web server user so that in future the files can be delivered or modified by the web server user at runtime.

The only problem comes into play when the script attempts to chmod() the files/directories.  If PHP is being run in safe mode, the script can not chmod the files - instead the you need to alert the user that a series of commands must be run manually on the server (or using an FTP client) to complete the required permissioning model.


(4) "htaccess is not always set up (or set up properly) on many cheapo shared hosts"

I agree, but on the subject of htaccess, my view is that if a host doesn't support it, dont use that hosting company.  I also completely agree that you should provide additional protection by placing index.php files that die with a 405 (Not Permissioned) error in any read-only directory, and additional lines in 'included' files that also die with a 405 error if an attempt is made to open that include file in a browser, instead of an include statement in another PHP script.

Ho Hum...
0
 
LVL 17

Assisted Solution

by:davebytes
davebytes earned 600 total points
ID: 16303377
hey sb-  no problemo.  always good to clarify things around EE! ;)

(1) I guess I've never used chdir under PHP, and those things I might think of using it for take path specifiers anyway (whereas under certain languages there are more ops that only work on the current directory).  Things like opendir take a path, so /templates could be specified and read without ever 'cd'ing.

To simplify your other note: the reason to set permissions 'somewhat tightly' is usually around other people's code being exploited, and then if your files/dirs aren't protected they can be accessed via another user account. ;)

(2) well, for locally-opened files, it's either an include codepath or an fopen path (fopen being the root of numerous higher-level calls like readfile and such...).  I guess if you wanted to expand into extensions, yes then there are other ways to open local files...  Though I would hope they all patch through the core fopen code (as it'd be potential for exploits otherwise!).

(3) Yes, my second statement was clearly referring to whether or not you can do a chmod on a given server.  Sometimes disabled to avoid potential exploits/issues. ;)  I try not to rely on it, but that's me.

(4) We're on the same wavelength on this... ;)  Unfortunately, choice of providers, and moving providers, isn't always a simple equation -- and few, if any, give you an easy way to go through a checklist of 'yeah, we don't let you do that' stuff.

-d
0
 
LVL 11

Assisted Solution

by:siliconbrit
siliconbrit earned 1400 total points
ID: 16303458

(1) I never use it either unless I'm writing a non-web-server application in PHP, which is rare.  If one of my coders uses it in a web app, they are strongly advised to re-work the code ;-)

(2) Slightly disagree, for a purist, I guess fopen is the default, but for lots of reasons it's good to understand the reasons for choosing and using file_get_contents() and file()   For example - to quote Zend themselves from the http://uk2.php.net/file_get_contents page: "file_get_contents() is the preferred way to read the contents of a file into a string. It will use memory mapping techniques if supported by your OS to enhance performance."

(3) Agree - I choose not to use chmod if at all possible.

(4) You can always ask on Experts Exchange ;-D
0
 
LVL 17

Expert Comment

by:davebytes
ID: 16303733
interesting point on file_get_contents.  I've never made much use of it as I was 'brought up' on fopen, and file_get_contents only appeared in PHP 4.3.x... and obv hosts don't upgrade things like PHP that quickly. ;)

it's not actually clear in any of the docs whether the memory mapping is done at the fopen level or whether file_get_contents is doing something special (maybe setting a low-level flag, THEN calling through to fopen, then resetting flag...).  I'll have to go mod my various code, see if it makes a difference.  Obviously makes things cleaner!  But for a classical programmer, I'm so used to fopen-style coding -- since I open the file rw, read it, do some stuff, write it, close it.  I don't know if that's slower than file_get_contents, modify, file_put_contents... hmm.

Good thoughts here!

-d
0
 
LVL 17

Expert Comment

by:davebytes
ID: 16304029
(oh, and I just realized file_get_contents arguably is only useful for raw string data, and not binaries... and _put is only in PHP5... ah well... )
0
 
LVL 10

Author Comment

by:wildzero
ID: 16304450
Lots of good opinions here.
Sound like making the templates folder via the script, unzipping the templates to that directory along with htaccess and an index.php would be the best solution.

So my next question (mabye I should put in another question)
Whats the best way to
* Give the user a zip file ie templates.zip
* Run some php which unzips the templates.zip and puts them into a templates folder.

Anyone have an article on that?
Points upped
0
 
LVL 17

Assisted Solution

by:davebytes
davebytes earned 600 total points
ID: 16305534
I usually do all my script distribution AS zip files, not raw individual files.  Inside, I'd have a folder that is <templates>, with all the defaults included.  My readme would say:
- copy the <zzzzz> folder to your server, including contents, and set the permissions on the folder to ###.

Users can generally follow those instructions.  I wouldnt want to rely on unzipping something up on the server myself, but that's just me.  I'd rather have the user upload the folder and contents directly.  Again, just me.  I do know there are people who do sub-zipped contents, but I've yet to actually download a script packaged that way.

There is a Zip library/extension for PHP.  Never used it.  Has a dependency on some secondary lib, and not all servers have it installed...

-d
0
 
LVL 10

Author Comment

by:wildzero
ID: 16325451
davebytes  - yes that is how I usually do it as well, but looks like there are more secure ways of doing it...
0
 
LVL 11

Assisted Solution

by:siliconbrit
siliconbrit earned 1400 total points
ID: 16326993

You two had better go take a look at some of the leading PHP products, and take a look at well written installers.

In particular, I recommend you look at Joomla/Mambo, and see how that award winning CMS system installs, and then how you can load components/templates/modules as zip files.

You should also look at J2EE architecture, and the way applications are distributed as WAR or EAR files.  These are zip files that contain all the classes needed to run an application.

Or to put it into the words of the Blue Oyster Cult - Please don't fear the Zipper.

...or did I get that wrong...  "please dont fear the hmmm mmm?  "..  'please dont..     oh never mind.

Nothing wrong with unzipping files, and you're going to see a lot more of it - get used to it
0
 
LVL 10

Author Comment

by:wildzero
ID: 16327633
Points upped again,

Thanks for that siliconbrit - it does seem that having the zips is easier and it also helps with the file permissions it seems.

Any more comments?
0
 
LVL 17

Expert Comment

by:davebytes
ID: 16327833
having zip files doesn't help with file permissions in the slightest...

I guess I've worked on so much stuff that needed some hand tweaking, I've never looked at Joomla -- I'll have to see what they do.  It's been discussed in WordPress circles that zipfiles might be handy for distribution of extra modules, and I've seen some other CMS products that do things that way, but seems few and far between.  Not sure if that's just a mindset issue, historical problems with unzipping, historical problems with permissions running as apache, etc.

From my 'other life', I've been using 'packed' files for distribution for well over a decade.  My old game engine used a packed but not compressed format, and certainly quake/et.al. have used pak/zip formats for content for many years... so it's far from alien, just not 'used' to it in my web development world. ;)

-d
0
 
LVL 11

Assisted Solution

by:siliconbrit
siliconbrit earned 1400 total points
ID: 16328316

:-D

I have 22 years of development.  Yes, I know - dont say it.

I used to distro everything by tar, but that's just an old UNIX habit.  I still depend on tar files when I specifically want to set permissions/ownership when the file is unpacked, but that's just never going to be a zip feature.

I started using zip when it was used by Java to pack the code.  It seemed pretty alien at the time, since Java is a semi-compiled language, but when I got used to it, it made much more sense for anything that is not fully compiled, and even then, why not?

On a Java Application Server, JAR or EAR files are unzipped at runtime (!) by the application server itself, and inside the zipfile is a whole directory structure, a manifest and all the bytecode class files.   Yes, this does seem alien, until you realise that a C compiled program is just the same information (DATA Segment, CODE Segment, Pragma, etc) all compiled and COMPRESSED into a binary executable.

If you are willing to accept that concept, then the idea of using a zipfile to distribute code written in an interpreted language like PHP is not such a big leap of faith.  After all, the local OS will deal with creating the filesystem rather than you having to script it, and you dont have to code for any OS differences, which we are all about these days.

Ho Hum.
0
 
LVL 10

Author Comment

by:wildzero
ID: 16397518
=) awesome info guys
points upped one final time
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses
Course of the Month15 days, 6 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question