Re: [wdvltalk] writeable directories
Quoting steve miller [EMAIL PROTECTED]: I have read a bit about having web directories that are world writeable. Some say that they are a security hole and some say they are not. Depens on how they're configured... I have used open source applications like oscommerce and have had several of them hacked, finding php files placed within the images directory. My host claims it is because the images directory is world-writeable and someone uploaded files into it. Not uncommon... I am looking into using a photo gallery (coppermine), and it needs 777 permissions on the upload directories in order to allow user uploads. I am worried about using it even though there are many on the coppermine forum that claim it is not a security risk. So, my questions are: 1) is 777 really a security hole or not? In general, yes. 2) I noticed that some servers give upload files www ownership and others give user ownership...does that make any difference? Your best bet is to set the owner to the username your webserver runs under and the group to user. Then set the permissions to the following: 754 This gives the user full rights, the group read + execute and the world read privileges although it will not work with all systems. 3) if 777 is a hole, why are applications still being written with this requirement? Because people are still arguing if it is a security risk or not! Google for Secure PHP file upload and read the results that come back. Basically you should be checking for Mime-Type, Extension and reading the first few bytes of the documents before only allowing files that you approve of onto your server. Kind regards, Matt (Forever rolling-his-own PHP software to avoid the 777 issue...) -- Matthew Macdonald-Wallace [EMAIL PROTECTED] http://www.truthisfreedom.org.uk/ The WDVL Discussion List from WDVL.COM To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk http://www.wdvl.com ___ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Re: [wdvltalk] writeable directories
steve miller wrote: Hi all. I have read a bit about having web directories that are world writeable. Some say that they are a security hole and some say they are not. I have used open source applications like oscommerce and have had several of them hacked, finding php files placed within the images directory. My host claims it is because the images directory is world-writeable and someone uploaded files into it. Having the permissions set to 777 means that any user who has an account on that server could write to that directory. For an attacker to upload stuff there, it's almost certainly nothing to do with the directory being word-writable, but due to a badly-written bit of software which accepts uploaded files and stores them in a web-accessible path. For instance, a forum script which allows users to upload avatar images, and stores them in a folder called avatars, so that if you upload myavatar.jpg, it would then be accessible at http://www.example.com/avatars/myavatar.jpg. Some attacker then uploads evilscript.php and the badly-written forum software doesn't bother to check whether what it's receiving is what it expected, but simply writes it to the avatars directory. Now, the attacker goes to http://www.example.com/avatars/evilscript.php, and the script executes, game over. For that common scenario, the permissions on the avatars folder weren't the problem, the problem was with badly-written software. Cheers Dave P The WDVL Discussion List from WDVL.COM To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk http://www.wdvl.com ___ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Re: [wdvltalk] writeable directories
On Nov 26, 2008, at 9:18 AM, David Precious wrote: Having the permissions set to 777 means that any user who has an account on that server could write to that directory. For an attacker to upload stuff there, it's almost certainly nothing to do with the directory being word-writable, but due to a badly-written bit of software which accepts uploaded files and stores them in a web-accessible path. Thanks Dave. The one gallery I was interested in was coppermine, which requires 777 on certain directories that by design already contain some php files and other misc stuff. Since I may not have the skill to re- write some of these applications, is it possible to add some stuff to an htaccess file to stop new uploads of certain types? I have seen suggestions like: FilesMatch \.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme| module|exe|php)$ deny from all /FilesMatch steve The WDVL Discussion List from WDVL.COM To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk http://www.wdvl.com ___ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Re: [wdvltalk] writeable directories
On Nov 26, 2008, at 9:11 AM, Matthew Macdonald-Wallace wrote: Your best bet is to set the owner to the username your webserver runs under and the group to user. Then set the permissions to the following: 754 This gives the user full rights, the group read + execute and the world read privileges although it will not work with all systems. Thanks Matt. Still confused on a few things: PHP uploads to a temp directory and then you need a script to move the file. In oscommerce, there is no way for someone to access the upload scripts unless they have access to the protected admin directory first. So, how do they get the bad stuff into an open directory in the first place? steve The WDVL Discussion List from WDVL.COM To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk http://www.wdvl.com ___ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Re: [wdvltalk] writeable directories
steve miller wrote: Thanks Dave. The one gallery I was interested in was coppermine, which requires 777 on certain directories that by design already contain some php files and other misc stuff. Since I may not have the skill to re-write some of these applications, is it possible to add some stuff to an htaccess file to stop new uploads of certain types? I have seen suggestions like: FilesMatch \.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe|php)$ deny from all /FilesMatch You can't use something like that to stop the files being uploaded, as Apache doesn't see the files; the file being uploaded is just a stream of data that's posted to whatever script is going to handle the upload. Using something to deny access to any files in the image directories except images /might/ help to prevent an attacker from getting evil scripts to execute after they've been uploaded, but the correct solution is to ensure that the gallery software will not allow malicious stuff to be uploaded in the first place. Will untrusted users be able to upload stuff, or will uploading be limited to trusted users only? If trusted users only, then, as long as the software has no silly holes in it, you should be relatively safe. Cheers Dave P The WDVL Discussion List from WDVL.COM To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk http://www.wdvl.com ___ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Re: [wdvltalk] writeable directories
Quoting steve miller [EMAIL PROTECTED]: Still confused on a few things: PHP uploads to a temp directory and then you need a script to move the file. In oscommerce, there is no way for someone to access the upload scripts unless they have access to the protected admin directory first. So, how do they get the bad stuff into an open directory in the first place? Depends how well that directory is protected. A simple test - create a file on your local machine with a form that has the same fields as the upload form in the admin directory and point it at the file on the server. Try to upload using the form on the local machine. If this works, then that's probably how it was hacked. Any page I write that is in a protected directory asks for the session authentication before it does anything else - it's not foolproof but it does help. M. -- Matthew Macdonald-Wallace [EMAIL PROTECTED] http://www.truthisfreedom.org.uk/ The WDVL Discussion List from WDVL.COM To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk http://www.wdvl.com ___ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Re: [wdvltalk] writeable directories
I'll test! Sure hope it's not this easy, because it means that directory permissions are not going to stop anything :( On Nov 26, 2008, at 10:09 AM, Matthew Macdonald-Wallace wrote: Quoting steve miller [EMAIL PROTECTED]: Still confused on a few things: PHP uploads to a temp directory and then you need a script to move the file. In oscommerce, there is no way for someone to access the upload scripts unless they have access to the protected admin directory first. So, how do they get the bad stuff into an open directory in the first place? Depends how well that directory is protected. A simple test - create a file on your local machine with a form that has the same fields as the upload form in the admin directory and point it at the file on the server. Try to upload using the form on the local machine. If this works, then that's probably how it was hacked. Any page I write that is in a protected directory asks for the session authentication before it does anything else - it's not foolproof but it does help. M. -- The WDVL Discussion List from WDVL.COM To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk http://www.wdvl.com ___ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Re: [wdvltalk] writeable directories
Makes sense :) A lot of what I deal with is for clients who want pre-written applications installed, and I guess I'll just have to check first to see how uploaded files are being handled. Thanks! On Nov 26, 2008, at 10:20 AM, David Precious wrote: Matthew Macdonald-Wallace wrote: Quoting steve miller [EMAIL PROTECTED]: Still confused on a few things: PHP uploads to a temp directory and then you need a script to move the file. In oscommerce, there is no way for someone to access the upload scripts unless they have access to the protected admin directory first. So, how do they get the bad stuff into an open directory in the first place? Depends how well that directory is protected. A simple test - create a file on your local machine with a form that has the same fields as the upload form in the admin directory and point it at the file on the server. Try to upload using the form on the local machine. If this works, then that's probably how it was hacked. Agreed, that's a simple test (ensure you're not logged in when you try it though, obviously). Any page I write that is in a protected directory asks for the session authentication before it does anything else - it's not foolproof but it does help. Indeed - authentication/authorisation should always be checked first. I think that, due to the way CGI file uploads work, the file will always be uploaded to the web server, but to a temporary directory somewhere; as long as the script it was POSTed to does /not/ move the file from that temporary location to wherever it wanted to put it before checking the user is authorised, all should be fine, and the temporary file should get deleted automatically when the request is over with. Cheers David P The WDVL Discussion List from WDVL.COM To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk http://www.wdvl.com ___ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Re: [wdvltalk] writeable directories
steve miller wrote: On Nov 26, 2008, at 9:42 AM, David Precious wrote: Will untrusted users be able to upload stuff, or will uploading be limited to trusted users only? If trusted users only, then, as long as the software has no silly holes in it, you should be relatively safe. This is the part I don't understand! In oscommerce, you can not upload files unless you have access to the admin section which requires knowledge of username/pw. Yet somehow the images directory with 777 gets files uploaded into it. How are they doing this? Maybe there's some vulnerability which allows untrusted users to upload stuff even though they're not supposed to. This is on a shared server; is it possible they are getting in from some other domain on the server? It's certainly possible; seems fairly unlikely though. Cheers David P The WDVL Discussion List from WDVL.COM To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: wdvltalk@lists.wdvl.com To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk http://www.wdvl.com ___ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.