Hi all.
I have read a bit about having web directories that are world writeable.
Some say that they are a security hole and some say they are not.
I have used open source applications like oscommerce and have had
several of them hacked, finding php files placed within the images
directory.
Quoting steve miller [EMAIL PROTECTED]:
I have read a bit about having web directories that are world writeable.
Some say that they are a security hole and some say they are not.
Depens on how they're configured...
I have used open source applications like oscommerce and have had
several of
steve miller wrote:
Hi all.
I have read a bit about having web directories that are world writeable.
Some say that they are a security hole and some say they are not.
I have used open source applications like oscommerce and have had
several of them hacked, finding php files placed within the
On Nov 26, 2008, at 9:18 AM, David Precious wrote:
Having the permissions set to 777 means that any user who has an
account on that server could write to that directory.
For an attacker to upload stuff there, it's almost certainly
nothing to do with the directory being word-writable,
On Nov 26, 2008, at 9:11 AM, Matthew Macdonald-Wallace wrote:
Your best bet is to set the owner to the username your webserver runs
under and the group to user. Then set the permissions to the
following:
754
This gives the user full rights, the group read + execute and the
world read
steve miller wrote:
Thanks Dave.
The one gallery I was interested in was coppermine, which requires 777
on certain directories that by design already contain some php files and
other misc stuff. Since I may not have the skill to re-write some of
these applications, is it possible to add some
Quoting steve miller [EMAIL PROTECTED]:
Still confused on a few things:
PHP uploads to a temp directory and then you need a script to move the
file. In oscommerce, there is no way for someone to access the upload
scripts unless they have access to the protected admin directory first.
So, how do
I'll test!
Sure hope it's not this easy, because it means that directory
permissions are not going to stop anything :(
On Nov 26, 2008, at 10:09 AM, Matthew Macdonald-Wallace wrote:
Quoting steve miller [EMAIL PROTECTED]:
Still confused on a few things:
PHP uploads to a temp directory and
Makes sense :)
A lot of what I deal with is for clients who want pre-written
applications installed, and I guess I'll just have to check first to
see how uploaded files are being handled.
Thanks!
On Nov 26, 2008, at 10:20 AM, David Precious wrote:
Matthew Macdonald-Wallace wrote:
steve miller wrote:
On Nov 26, 2008, at 9:42 AM, David Precious wrote:
Will untrusted users be able to upload stuff, or will uploading be
limited to trusted users only? If trusted users only, then, as long
as the software has no silly holes in it, you should be relatively safe.
This is the
10 matches
Mail list logo
