Is read/write for scripts on public html a dumb idea?
Results 1 to 8 of 8

Thread: Is read/write for scripts on public html a dumb idea?

  1. #1
    Member
    Join Date
    Apr 2003
    Posts
    37

    Is read/write for scripts on public html a dumb idea?

    Hi,
    I would like to have a www server security experts opinion if possible

    I would like to be able to modify my HTML documents on the web server with ASP or PHP serverside scripts, to make content management easier for users that donít want to learn html and donít want to learn to use a FTP program.

    Access rights on the public HTML folder is normaly read only, and that is why my scripts cant write / move / delete the public HTML files now.

    I figure that a public HTML folder were the web surfer has read access and the server scripts has read/write access should be secure, if that folder does not have script execute rights? That way there should not be a security risk that a hacker could modify the page and then run it as a script.

    Why I want to edit plain HTML files on the server in stead of storing them in a DB, is because I imagine that web sites with plain HTML files works better on shared web servers. When ASP pages or DB connections fail, it seems the server still can supply the normal HTML files to the surfers. Also search engines can index the site better when there is no extra parameters on the URL (I think).

    So do you think it would be generally secure to have a folder with only HTML files without execute but with read/write access? Or is to risky?

    Thx

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I've worked on many systems which do this. It's generally fairly secure to let people edit HTML files directly or indirectly, provided you don't let them get their own scripts into the directories.

    One of the major problems is clutter, but not security.

    It's true that HTML sites do perform better, are more reliable and get indexed better by search engines. As long as you don't provide a facility for people to upload arbitrary files, you should be ok. I recommend having a list of extensions that are allowed and denying all others. You should also have an allowed character set for filenames to prevent funny characters screwing things up (Think NT Alternate file streams, DOS special files, embedded NULs and dodgy unicode filenames). In particular it's useful to only allow filenames to have one dot in and to forbid spaces.

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    It all depends on how secure you make the update page. If somebody can abuse that then you are screwed. Also beware of SSI (Server Side Includes) and/or ASP. Remember that ASP and SSI get executed on the server. Definitely remove the script and execute permissions.

    Also remenber that everything runs on the same account. This means that your scripts run on the same useraccount as the static html. You would have to do some clever tricks to run your scripts on a different account.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Member
    Join Date
    Apr 2003
    Posts
    37

    Talking

    First I want to thank you guys for the quick replies !

    It is interesting to read that some sites actually uses this kind of content management.
    I thought I was a bit silly not wanting to use a database for all pages.

    I am thinking about what SirDice writes about the fact that script pages runs in same account as HTML. I thought the server is running as server user .

    This would mean that the folder containing the public HTML pages, should be read/write for all users. I am not sure if this is any riskier than trying to get a specific user with the write access, as I donít think there is technically any way to directly write to files using HTTP. Only way to write to such a directory would be with the server side scripts. Then again I am no hacker or security specialist

    I have written some ASP pages, but not many lines in PHP. The read/write security in mind, do you think there is any difference if I use PHP or ASP?
    I did not do it.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by HippoDuck
    I have written some ASP pages, but not many lines in PHP. The read/write security in mind, do you think there is any difference if I use PHP or ASP?
    Use something you feel comfortable with. It doesn't matter what you use. You would have to secure them both and both have their own pros and cons.

  6. #6
    Member
    Join Date
    Apr 2003
    Posts
    37
    Well my web hosting company says about setting write permisson on a html folder :
    "It should be ok. You still run the risk hackers deleting or defacing all
    the files in that folder."

    Maybe they say the thing about hacking just to be on the safe side....

    I cant think of any other way to write to a HTTP server file system than with the scripts I make. So as long the scripts are password protected it should be ok.
    I did not do it.

  7. #7
    Member
    Join Date
    Apr 2003
    Posts
    37
    My web host company has set up a directory with read/write access for me, so I can make my WYSIWYG content management editor.

    I feel safe, but time will tell if I get hacked or not :P

    Thank you all for your answers
    I did not do it.

  8. #8
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    the system is as safe as you make it..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •