I have a fair few directories which have a 777 permission set on them. Now, I know this is a threat to my servers security, but certain things will not work properly without this being set. In a lot of cases, this is set so images can be uploaded, and in others it's for editing files from admin, or a cache feature. I'd like to add .htaccess files to these directories so that they cannot be exploited, perhaps only allowing images to be accessed in the image directories, and for the cache/template files, only, if possible, allowing them to be changed from my server. How would I go about this please?
Those directories don't need to be chmod 777. If you change the ownership to the user your webserver runs as then the permissions can be 755 or 775 if you want to write to that directory yourself. Your webserver probably runs as either "nobody", "apache", "www-data" or "wwwdata". You can find out which one it is by looking at who owns the files in that directory now. Then just "sudo chown apache ." and "sudo chmod 775 ." inside the directory. 777 permissions just mean that any user on the system can write to the directory. If you are the only user on the system and Apache is supposed to write to this directory then there is no harm in having it 777. Normal web users are only accessing Apache so they don't gain any extra pivileges from having the directory chmod 777. After all that, your greatest threat with uploads directories comes not from other users on your webserver but from random web users being able to upload abitrary files. For instance, if a user went to upload an image but instead uploaded a PHP file, he could then request that PHP file from your images directory and take over your server. If you limit it to only files that end in ".jpg" then he can still upload the PHP file but call it "exploit.jpg". He can't request this in a browser anymore but if he finds a local file inclusion vulnerability on your server then this would essentially turn it into a remote file inclusion vulnerability. What you should do to prevent this is check the mime-type of the file being uploaded and reject everything except the image formats you support.
Thanks for the explanation. Unfortunately, I didn't understand most of it. Can you provide any links to reference materials that can be understood by someone with very little understanding of Linux and Apace?
I'm assuming that you don't have much experience with linux administration. If your site is set up correctly, it should work just fine as 775 (owner full permissions,group full permissions,everyone read + execute). If that gives you permissions issues try either telling your host to change the group ownership on the file to be the same as the group membership of apache. Let me know if neither of those work.
So, there typically isn't much difference between 775 and 777 permissions for getting scripts to work correctly? I wonder why programmers use the 777 then. I'll give it a try, thanks.
I'd like to add that a .htaccess will not do much protection. It will control what the web server can do with these directories, but most of the time 777 directories are used by hackers in a way which is not affecter by any .htaccess (to download scripts to your server and run them for example). A 777 directory is definitely a bad thing and should never be seen, no matter the reason. There is always a way to do what you're doing without a 777 directory. And that "Protecting 777 chmod folders" link is a piece of sh*t. Put a "toto.pl" file in one 777 directory with the .htaccess provided, then use PHP's exec to execute "perl toto.pl" and voila, you just ran your .pl file. Example of attack. you have a 777 directory with that .htaccess. In another directory you have a PHP script with a remote include vulneratiblity. The hacker uses that RFI vuln to download and execute a .php script on your server, which download a perl script and puts it in the 777 directory, and then execs it. The .htaccess will not protect against this. Once code can be executed from your server you're doomed if you have any writable stuff (that includes /tmp and a database).
Ok, now we know how to stop them from executing the files... but I have searched the net high and low and can not find how they put them there in the first place?! A few months ago my server was hit with that attack that puts an htaccess file and a random string of numbers php file (like 249822.php) in EVERY 777 directory on EVERY site on my server. The htaccess declared the other file as the error file... then the script kiddie went NUTS posting links all over the net to files that don't exist on my server to porn and warez. The php file would redirect the person clicking the link to their site. I talked to a friend who uses the same hosting company (Hostforweb) and he found the SAME files in all his 777 directories from the same day. All Hostforweb could tell me is that they used "http post" to do it?! I asked them if the person had gotten a script on another shared account on the same server and they said NO and they told me that ANYONE could write to a 777 dir and I should contact the vendor who made my scripts so they could rewrite the software so it didn't need 777 dirs?? I have several questions.. I now put <LimitExcept Get> orders in the htaccess of all the 777 dirs.. would that have prevented this? I also set the directories below the 777 dirs to 711, would that stop their script from finding the 777 dirs? Is it true that ANYONE can write to a 777 dir WITHOUT having a script on the server to do it, or is HFW full of S#*@?? I have found SEVERAL forums discussing this but no one has answers.. will someone with knowlege greater than mine please give me some answers?
I just explained you why a 777 directory is bad. I just told you that you should not have a 777 directory at all. Sometimes I wonder why I take time to explain that sort of stuff if noone listen. If you have a 777 directory, you WILL have problems, especially on a shared box where you can't be sure that the other users are not evil or hacked. Making the parent dir 711 may or may not work depending on the server configuration. And trying to get around that problem with htaccess files or other tricks is not fixing the main issue but trying to hide it. It's not clean. 777 = BAD So are you willing to listen to me or are you only willing to listen to people who tell you what you want to hear ?
I Can Code a Great .htaccess Firewall For You, PM me for more details And if you dont want, then you can put up a an htaccess to this folder !
All I wanted wanted to hear was how they did it... but all I got was your ranting about how 777 is bad. If you don't know then a simple "I don't know" would do
The basic answer is they did it through you upload directory. As mentioned above, they probably created a perl script and called it badimage.jpg, then the called up badimage.jpg and ran badimage.jpg as a perl script. phplife