steve miller wrote:
Hi all.
I have read a bit about having web directories that are world writeable.
Some say that they are a security hole and some say they are not.
I have used open source applications like oscommerce and have had
several of them hacked, finding php files placed within the images
directory. My host claims it is because the images directory is
world-writeable and someone uploaded files into it.
Having the permissions set to 777 means that any user who has an account
on that server could write to that directory.
For an attacker to upload stuff there, it's almost certainly nothing to
do with the directory being word-writable, but due to a badly-written
bit of software which accepts uploaded files and stores them in a
web-accessible path.
For instance, a forum script which allows users to upload avatar images,
and stores them in a folder called avatars, so that if you upload
myavatar.jpg, it would then be accessible at
http://www.example.com/avatars/myavatar.jpg. Some attacker then uploads
evilscript.php and the badly-written forum software doesn't bother to
check whether what it's receiving is what it expected, but simply writes
it to the avatars directory. Now, the attacker goes to
http://www.example.com/avatars/evilscript.php, and the script executes,
game over.
For that common scenario, the permissions on the avatars folder weren't
the problem, the problem was with badly-written software.
Cheers
Dave P
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: wdvltalk@lists.wdvl.com
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.