Quoting steve miller <[EMAIL PROTECTED]>: > I have read a bit about having web directories that are world writeable. > Some say that they are a security hole and some say they are not.
Depens on how they're configured... > I have used open source applications like oscommerce and have had > several of them hacked, finding php files placed within the images > directory. My host claims it is because the images directory is > world-writeable and someone uploaded files into it. Not uncommon... > I am looking into using a photo gallery (coppermine), and it needs 777 > permissions on the upload directories in order to allow user uploads. > I am worried about using it even though there are many on the > coppermine forum that claim it is not a security risk. > > > So, my questions are: > > 1) is 777 really a security hole or not? In general, yes. > 2) I noticed that some servers give upload files "www" ownership and > others give "user" ownership...does that make any difference? Your best bet is to set the owner to the username your webserver runs under and the group to user. Then set the permissions to the following: 754 This gives the user full rights, the group read + execute and the world read privileges although it will not work with all systems. > 3) if 777 is a hole, why are applications still being written with this > requirement? Because people are still arguing if it is a security risk or not! Google for "Secure PHP file upload" and read the results that come back. Basically you should be checking for Mime-Type, Extension and reading the first few bytes of the documents before only allowing files that you approve of onto your server. Kind regards, Matt (Forever rolling-his-own PHP software to avoid the 777 issue...) -- Matthew Macdonald-Wallace [EMAIL PROTECTED] http://www.truthisfreedom.org.uk/ ____ The WDVL Discussion List from WDVL.COM ____ To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: [email protected] To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
