Is read/write for scripts on public html a dumb idea?

Printable View

April 3rd, 2003, 11:40 AM
HippoDuck

Is read/write for scripts on public html a dumb idea?

Hi,
I would like to have a www server security experts opinion if possible :)

I would like to be able to modify my HTML documents on the web server with ASP or PHP serverside scripts, to make content management easier for users that don’t want to learn html and don’t want to learn to use a FTP program.

Access rights on the public HTML folder is normaly read only, and that is why my scripts cant write / move / delete the public HTML files now.

I figure that a public HTML folder were the web surfer has read access and the server scripts has read/write access should be secure, if that folder does not have script execute rights? That way there should not be a security risk that a hacker could modify the page and then run it as a script.

Why I want to edit plain HTML files on the server in stead of storing them in a DB, is because I imagine that web sites with plain HTML files works better on shared web servers. When ASP pages or DB connections fail, it seems the server still can supply the normal HTML files to the surfers. Also search engines can index the site better when there is no extra parameters on the URL (I think).

So do you think it would be generally secure to have a folder with only HTML files without execute but with read/write access? Or is to risky?

Thx
April 3rd, 2003, 12:11 PM
slarty

I've worked on many systems which do this. It's generally fairly secure to let people edit HTML files directly or indirectly, provided you don't let them get their own scripts into the directories.

One of the major problems is clutter, but not security.

It's true that HTML sites do perform better, are more reliable and get indexed better by search engines. As long as you don't provide a facility for people to upload arbitrary files, you should be ok. I recommend having a list of extensions that are allowed and denying all others. You should also have an allowed character set for filenames to prevent funny characters screwing things up (Think NT Alternate file streams, DOS special files, embedded NULs and dodgy unicode filenames). In particular it's useful to only allow filenames to have one dot in and to forbid spaces.
April 3rd, 2003, 12:13 PM
SirDice

It all depends on how secure you make the update page. If somebody can abuse that then you are screwed. Also beware of SSI (Server Side Includes) and/or ASP. Remember that ASP and SSI get executed on the server. Definitely remove the script and execute permissions.

Also remenber that everything runs on the same account. This means that your scripts run on the same useraccount as the static html. You would have to do some clever tricks to run your scripts on a different account.
April 3rd, 2003, 01:38 PM
HippoDuck

First I want to thank you guys for the quick replies !

It is interesting to read that some sites actually uses this kind of content management.
I thought I was a bit silly not wanting to use a database for all pages.

I am thinking about what SirDice writes about the fact that script pages runs in same account as HTML. I thought the server is running as server user .

This would mean that the folder containing the public HTML pages, should be read/write for all users. I am not sure if this is any riskier than trying to get a specific user with the write access, as I don’t think there is technically any way to directly write to files using HTTP. Only way to write to such a directory would be with the server side scripts. Then again I am no hacker or security specialist ;)

I have written some ASP pages, but not many lines in PHP. The read/write security in mind, do you think there is any difference if I use PHP or ASP?
April 3rd, 2003, 02:14 PM
SirDice

Quote:

Originally posted here by HippoDuck
I have written some ASP pages, but not many lines in PHP. The read/write security in mind, do you think there is any difference if I use PHP or ASP?

Use something you feel comfortable with. It doesn't matter what you use. You would have to secure them both and both have their own pros and cons.
April 3rd, 2003, 06:31 PM
HippoDuck

Well my web hosting company says about setting write permisson on a html folder :
"It should be ok. You still run the risk hackers deleting or defacing all
the files in that folder."

Maybe they say the thing about hacking just to be on the safe side....

I cant think of any other way to write to a HTTP server file system than with the scripts I make. So as long the scripts are password protected it should be ok.
April 8th, 2003, 09:50 AM
HippoDuck

My web host company has set up a directory with read/write access for me, so I can make my WYSIWYG content management editor.

I feel safe, but time will tell if I get hacked or not :P

Thank you all for your answers :)
April 8th, 2003, 11:37 AM
the_JinX

the system is as safe as you make it..