Is read/write for scripts on public html a dumb idea?
Hi,
I would like to have a www server security experts opinion if possible :)
I would like to be able to modify my HTML documents on the web server with ASP or PHP serverside scripts, to make content management easier for users that don’t want to learn html and don’t want to learn to use a FTP program.
Access rights on the public HTML folder is normaly read only, and that is why my scripts cant write / move / delete the public HTML files now.
I figure that a public HTML folder were the web surfer has read access and the server scripts has read/write access should be secure, if that folder does not have script execute rights? That way there should not be a security risk that a hacker could modify the page and then run it as a script.
Why I want to edit plain HTML files on the server in stead of storing them in a DB, is because I imagine that web sites with plain HTML files works better on shared web servers. When ASP pages or DB connections fail, it seems the server still can supply the normal HTML files to the surfers. Also search engines can index the site better when there is no extra parameters on the URL (I think).
So do you think it would be generally secure to have a folder with only HTML files without execute but with read/write access? Or is to risky?
Thx