Protecting 777 chmodded folders

As most of you already know, chmod 777 would give writing / executing rights for everyone `on *nix servers`, it is mostly used in upload scripts / galleries / logs..

Well, you can protect that folder, from being used as a lab for Mr Hacker..

Simple way of doing it is, using a .htaccess, and turning the PHP engine off on that folder and disallowing html / pl / php files.. here is how:

Create a new file, called .htaccess, in it:


php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>





that's it, now the `hacker` cannot use this folder as a place for PHP shells / scripts or backdooring tools `mostly are perl scripts`...

Source : www. darkmindz. com/forum/protecting_777_chmoodded_folders-num481

 

Hi
Thanks for sharing . I m going to try with it

 

another great post

 

see this: php file upload security

 

The only problem I have with that method is that it is still in "default allow" mode. This means that anything that isn't explicitly denied is allowed. If an attacker uploaded a .php3 or a .php4 file and your PHP config is set up to parse and execute files with that extension (which it probably is) then you are still vulnerable. The code below (from the page that olddocks linked to) is in "default deny" mode, which is much safer.

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
  order deny,allow
  deny from all
</Files>

Code (markup):

However, even if he can't execute the code, he can still upload it. The danger of that is twofold. If he finds a local file inclusion vulnerability somewhere else in your site (but not a remote file inclusion vulnerability) then he can include his uploaded file and it will be executed in PHP. If he couldn't upload the file at all then he would have nothing but your code to include and none of his code. (Interestingly, if an attacker finds a file opening vulnerability in your PHP code, it's likely he could use that to invoke a perl interpreter and give it the file he has already uploaded. Don't be fooled into thinking that perl files are safe because you haven't installed mod_perl. If you have perl on your system, you would still be vulnerable to this attack. The same goes for Ruby, Python, Java and even Bash.)

The second danger is that if the code is not executed, it will still be displayed. If he uploads a .txt file that contains a PHP shell, he can use your server as the launching pad for attacks on other people's servers. The remote file inclusion vulnerability on someone else's server will include the PHP code that is hosted on your server. You would be an unwitting participant in an attack on a webserver. The "default deny" code above would stop the second attack but not the first. For that, we need to be even smarter.

My preferred method is to explicitly allow some files and deny all others in the PHP upload script. In this script, I usually check the mimetype and the extension. You can also implement other checks here such as file size, image dimensions and image format. You could even accept images in any format and convert them to your favourite format... which would certainly play havoc with a PHP shell if it had made it through this far.

That said, there's nothing mutually exclusive about these two methods. You can quite happily implement both and not cause any troubles. Mostly, you will be enforcing the same restrictions twice but there is always the possibility that an attacker will find a way past one method and be stumped by the other.



While I'm here, I want to address some of the confusions about Unix file permissions. Firstly, files do not inherit the permissions of the containing directory. This means that even though the uploads directory is executable, the files uploaded into it are not. (You should be explicitly setting the permissions for uploaded files in your upload script.) If the files are supposed to be read-only, don't hesitate to set them as 444.

Secondly, PHP files only have to have the execute bit set if you are running PHP in CGI mode. If you have PHP as an Apache module (mod_php), then it doesn't matter whether the files are executable or not. The same is true for Perl and mod_perl.

Thirdly, you don't necessarily need to have the uploads folder at 777. Most applications will use 777 because they need specific knowledge about your server to use anything else but you have that knowledge. If you chown the folder to the user that your webserver runs as then you could even set it's permissions to 700. I would normally chgrp the folder to the webserver and leave it chowned to me with 770 perms. The user that Apache runs as is usually either: nobody, apache, wwwdata or www-data. You can find which one yours is using by running a process-viewing command. (ps -ef or ps aux or top and look for one of the "httpd" processes.)

Having said all that, Unix file permissions are not a good way to protect your website from your website visitors. They are a good way to protect the rest of your server from your website visitors. Make sure your home directory is chmod 750 and that your webserver user is not in the same group as you. Any important files should be 640 or even 600.

If you have a look in your .ssh folder in your home directory you will see an example of some quite restrictive permissions. One of the files in there must be 600 or 400 or ssh will refuse to start. The guys who write ssh care about security.

 

That's absolutely true..

Most shells are done in RFI(Remote File Inclusion).. But then, in Some sites like Image Hosting Sites, Shells can be uploaded and executed to the images directory..

Thanks for the tut..

+REP

 

Great script. Thanks

Been looking for something like this for ages!!

 

You are all welcomed

Ladadadada, What you said is all true, you got more in depth on what can be done / not done... but adding this simple .htaccess to that directory, makes it safer at a wide range, I know alot of hackers, and trust me a writeable directory, where you can use a PHP script on it, is jackpot!, they can dump huge DB's easily, they can run bots, they can upload there botnet and spread it and much more..

I am glad you liked it everyone , you can thank me by paying my site a visit ;P you wont regret it..

 

Here is a two liner that could help:

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

 

Thanks for your good .htacces file.
It will help some to guard our folders

 

Thanks for the tips..
I'll try the code.

 

Great tip for security. Thank you for posting this.

 

Great tip for security. Thanks for sharing

 

^ thats how i do it.