Al wrote:
One of my sites has been hacked and I'm trying to find the hole. The
hack code creates dirs with "nobody" ownership, so it's obvious stuff is
not via ftp [ownership would be foo]
Site is virtual host, Linux/Apache
I'm concerned about a file uploader my users use to upload photos.
I would recommend something more strong
http://www.php.net/manual/en/function.exif-imagetype.php
or if you dont have exif
http://www.php.net/manual/en/function.getimagesize.php
will do also a trick.
One more thing, you are also allowing .txt and .css which may be
potential hole, as Apache can
The hack puts this .htaccess in dozens of dirs
RewriteEngine On
RewriteCond %{HTTP_REFERER}
^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya
How was it "hacked"?
That will help determine what kind of exploit might have been used.
On 4/11/08, Al <[EMAIL PROTECTED]> wrote:
> One of my sites has been hacked and I'm trying to find the hole. The hack
> code creates dirs with "nobody" ownership, so it's obvious stuff is not via
> ftp [own
One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with
"nobody" ownership, so it's obvious stuff is not via ftp [ownership would be foo]
Site is virtual host, Linux/Apache
I'm concerned about a file uploader my users use to upload photos.
Can anyone s
Well, seeing as I have no directory anywhere in my file structure called
"/tmp" and yet my file uploads are still working, it would appear that my
temporary file upload directory "/tmp" given by php_info() is somewhere
outside of my root directory. So that's good news! That's were I'll be
doing
On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote:
> So I've been trying to figure out where php uploads files to
> temporarily
> store them before I move them to their permanent storage directory,
> and I'm
> having some difficulties:
>
> -- php_info() says the temporary file upload directo
So I've been trying to figure out where php uploads files to temporarily
store them before I move them to their permanent storage directory, and I'm
having some difficulties:
-- php_info() says the temporary file upload directory is "/tmp" but I don't
know if that's relative to my root directory
On Wed, September 27, 2006 10:11 am, tedd wrote:
>>So when you read advice to use 0777 you can immediately change that
>> to
>>0700, because the only access needed is for you, not your group, and
>>not the "world" of other users on that machine.
>
> Excellent point -- thanks.
This applies only to
At 6:43 PM -0500 9/26/06, Richard Lynch wrote:
On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
> -- Since I'm only allowing image uploads, I can strictly filter which
files
are allowed to be uploaded (with extension checks and get_image_size).
Extension check is kinda useless...
I
On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
> So I tried to implement the example code given in the php tmpfile()
> documentation and it wouldn't do anything, which suggests that I don't
> have
> access to the /tmp directory. Also, the FAQ's section on my server's
> website say that /
The FTP will be slower, almost for sure.
He's doing it because he can FTP in as himself, and not as the
"nobody" user Apache runs as.
Your webhost has you running as yourself already, so you can chmod
your files at will in PHP.
On Mon, September 25, 2006 2:11 pm, Andy Hultgren wrote:
> Tedd,
>
>
Hey Tedd and Eric,
Between the two of you and Richard Lynch's last post, I understand why I can
use chmod() and mkdir() within php without having to use the ftp commands: I
run on a server that is configured to run my php scripts as "username" (ie.
me!) instead of as "nobody" (which is much more
Well, that didn't sound too good...
So I tried to implement the example code given in the php tmpfile()
documentation and it wouldn't do anything, which suggests that I don't have
access to the /tmp directory. Also, the FAQ's section on my server's
website say that /tmp is not shared between the
Andy:
It was never a question of speed for me -- it was a question of being
able to change file permissions from within a php script so that I
could create and write files safely.
You see, I am *not* able to use chmod() within a php script at all
regardless of what permissions the file and p
On 9/25/06, Andy Hultgren <[EMAIL PROTECTED]> wrote:
Tedd,
Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out! I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without estab
Tedd,
Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out! I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without establishing an ftp connection. Is it faster to establish a
At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
Hi Tedd,
Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root. I'm curious, what you described is exactly what I'm trying to do -
what permissions do
Hi Tedd,
Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root. I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finish
At 7:19 PM -0600 9/22/06, Andy Hultgren wrote:
For whatever reason when I ftp in using WinFtp I don't see public_html
(it's hidden, don't know why; if I make a directory called
".public_html" it gets created and then disappears), but I can see my
file structure from my host's website and so I kno
On Saturday 23 September 2006 01:27, you wrote:
> Hi Borge,
>
> host/users/myDomain is the actual directory (and it's the root
> directory), and I do not have access to higher directories. So
> basically I do not have access to directories higher than my root
> directory, which is unfortunate. Al
For whatever reason when I ftp in using WinFtp I don't see public_html
(it's hidden, don't know why; if I make a directory called
".public_html" it gets created and then disappears), but I can see my
file structure from my host's website and so I know that when I ftp in
to myDomain.com this is wha
I may have hit "send" too soon...
Like, when you do FTP, do you see:
index.htm
page2.htm
page3.htm
right away?
*OR*, do you see:
public_html
And then you do "cd public_html" and THEN you see the files?
If you don't do "cd public_html" then I really don't think accepting
file uploads is a Go
So pretty much there's nothing to be done about it? If I can get the
chmod thing to make it so that you can't surf to your uploaded image
afterwards and view it, I'd be happy with that solution. I'd like to
stick with this host if I could.
On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
O
On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
> that as my root directory is simply www.myDomain.com and not
> ".public_html/" and I am on a shared server where my root cannot be
I got two words for you:
Change Hosts
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailin
On Friday 22 September 2006 22:58, Andy Hultgren wrote:
> Hi,
> I am relatively new to php and am trying to set up a file upload
> process for my website. I have read through the php security
> documentation and a number of the security-related questions on these
> lists and am attempting to imple
Hi,
I am relatively new to php and am trying to set up a file upload
process for my website. I have read through the php security
documentation and a number of the security-related questions on these
lists and am attempting to implement as many of the measures as
possible.
One of the suggestions
Files in web folders should usually be 755
/peter a
At 2003-01-23 11:15, Marco Alting wrote:
>Hi, I have a php script which uploads file to a webserver. The idea is that
>anyone can upload files, but only another php script can read the files. At
>this moment I think someone is deleting file
Hi, I have a php script which uploads file to a webserver. The idea is that
anyone can upload files, but only another php script can read the files. At
this moment I think someone is deleting file from my upload folder. What
CHMOD settings do I need to secure this?
--
PHP General Mailing List (
29 matches
Mail list logo