Hi, I have a folder on my server where people can upload images like their avatar and other stuff. I have the folder CHMOD to 777, so everyone can upload their images via a form. Now i just noticed that the whole folder is EMPTY !! Someone deleted everything. How can someone delete a complete folder ? I really have to secure this better now, but i don't see exactly how because write permissions is really needed in that folder. Any advice?
Are you sure you didn't delete the contents accidentally? 777 means that php scripts may alter the content of that folder. You can't just hit delete yourself from the browser. Do you validate the uploaded files? Does the "other stuff" include .php files ? If so, anyone can upload their script and run it on your server.
No i have tests so that only jpg and gif gets accepted. Don't think i accidently deleted it because it happened when i was not at home... Is it possible a problem with the server ? Can maps go empty for some reason ? damn this sux
Images can be ran as executables. Nasty stuff. Um, do you use copy() to upload it? Please don't use copy() if you do. Bad bad idea. If you use copy, I can almost gurentee that is where the problem came from.
Seriously ? That's crazy... The most important php functions i use the handle the form are: imagejpeg() imagecopyresampled() imagedestroy() Is it that copy you mean ? And what alternatives are there ?
I have a very simple rule of thumb. NEVER expose (in the markup of a page etc) the folder to which you're uploading files. When you do upload files, serialize or the like in a tmp dir (dont use their actual names). Then, move the files to a read only directory from which you CAN then refer to them by name in the page. If you're using a blog or other typically Open Source script, change the default directory names. Yes, it's not a nice pill after the fact, but it should mean you dont have to go through it again Best JL