Thanks Sheila.
I don't think they actually got to the upload script; I think they
somehow found the open directory and posted the program directly. I'll
check into .htaccess.
steve
On Oct 6, 2005, at 7:46 AM, Sheila Fenelon wrote:
steve miller wrote:
Patrick,
The php scripts run as "www" on the webserver, but the directories
are owned by "steve" and I believe that group is "wheel". I don't
really have access to be able to change all the file owners. The
problem is that I need "www" to have "write" permission, which means
that the whole web can do so as well. I have noticed that this same
issue is present in popular opensource applications, like osCommerce,
which is actually where I had the problem. Their images file needs
"write" permission to receive new product images when you upload
them. Someone installed a shell program in it!!
I have been advised that I may have to run php as a cgi in order to
protect the directories...
On file upload you could use getimagesize()
http://www.php.net/manual/en/function.getimagesize.php
to check that the file is actually an image file.
As a second line of defense, you could use .htaccess on the directory
so it doesn't allow files in that directory to run. I'd have to look
up exactly how that's done.
Sheila
http://www.shefen.com/
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: [email protected]
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.
