November 18th, 2003, 12:46 AM
I understand that chmod 777 to things on a web server can create security risks, but (what if/could you) only do it to a single file? In this case a text file- are there any security risks?
November 18th, 2003, 01:01 AM
Normally the only time you have something with 777 attributes is when you have a directory you want anyone to be able to upload to. On my server I have it to where you can upload pictures and songs with a php script. And it won't work unless the permissions are 777 on the directory, and by that I mean rwxrwxrwx. So yes it is a risk, so only do it if you want a user to be able to upload or change something with some sort of script. If you do have uploads, make sure to limit what type of files can be uploaded so that you don't get any nasties.
November 18th, 2003, 01:12 AM
yeah, I'm a php beginner, and I'm making this thing so winamp displays the song I'm playing into my AIM profile.... I got everything made, I just gotta do that chmod. Do I have to contact the guy that has the server, or can I do it with telnet? I have a username and password with ftp, would i have the ability to do that chmod? Im not too familiar with doing this obvioulsy....
November 18th, 2003, 02:13 AM
You should be able to do it with telnet, but you should contact the guy just to make sure it's ok.
November 18th, 2003, 03:23 AM
Setting a single file's mode to 777 can be very dangerous. OTOH, is can be totally harmless. If the file contains shell commands that are then executed, then you must be totally sure that nobody can inject their own shell commands into the file. Don't execute any shell commands from your PHP unless you really know what you are doing. You should also probably make sure you have some mechanism that prevents anybody filling the file up with crap, thus running the server out of disk space. If you haven't already, read over the OWASP Guide, especially the bit about shell injection.
It is quite possible that your FTP password won't allow you to telnet, like h3r3tic said, you should check with the guy first.
November 18th, 2003, 05:36 AM
j3r, I'm forced to give you props this way rather than in anti-points because apparently 3 months ago and haven't "spread my points around" enough since then, but
that OWASP guide looks very very interesting. I took to PHP rather quickly and have developed a site for a friend and am working on a rather ambitious project for myself, but, as any self-respecting antionline member, I'm obsessive compulsive about security. I even added buffer check in a comp sci project (at the expense of being far to close to the deadline, thanks be to File Server drop-boxes).
Anyway the point being, as my ability in PHP coding far out-reaches my knowledge of security (a scary situation to be in), any little peace of knowledge helps.
I've read about many different injection issues in php-based applications and I've been wondering how to avoid them, hopefully this will help (in fact on OWASP's Top10 I just found information of SQL injection).
This site warrants a bookmark.
j3r, you rock.
The owl of Minerva spreads its wings only with the falling of dusk. -Hegel
November 18th, 2003, 10:53 AM
Generally speaking, it's safe to make files or directories writeable, as long as you limit what you write to them:
If you're writing a file into a directory from input from the user (possibly an upload), always check:
- Only allow them a limited set of file extensions - DO NOT allow them to upload arbritary files
- Don't allow them to upload anything executable, especially .exe .php .asp .dll etc - the server might try to execute the file - this is a big security risk
- Ensure that they cannot use slashes in the filename and use this to overwrite the contents of another directory (example: ../images/logo.gif and overwrite your site logo)
- Put a maximum file size on
You should definitely avoid making self-writing code (PHP pages writing php files etc) - as it's almost impossible to do that safely.
November 18th, 2003, 03:13 PM
I'm sure there are times when you may want to chmod somethinmg 777, but I will tell you when trying to hack a webserver nothing beats finding a directory thats 777. This doesnt only mean that its World Readable and World Writable but also world EXECUTABLE. This means if an attacker can find a service which allows even the smallest bit of file access, the directory/file can be used to execute code of the attackers choice. I really cant think of any good reason to set anything with those permissions at least use 666(still bad) so it is not world executable. I dont think I would say it is ever totally harmless although the risk could be lessened if the web server were in a chroot jail or something. File permissions can be your best friend or your attackers best friend.
Be very careful! Since your using .php its probably safe to say you are using MySql also, say you forgot to remove your default Mysql test account and DB, someone logs in and creates a row in the test database like "<? passthru($cmd); ?>" then "select * from test into outfile '/mystoopidworldwriteabledir/cmd.php' " then you can use "http:/www.blah.net/mystoopidworldwriteabledir/cmd?cmd=ls" or whatever. Of course this is just an example (I dont think the test user has file_priv flag(?) and I hope the dir isnt in the webserver path) but I think you see the point.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
November 18th, 2003, 03:57 PM
Thanks for the heads up maestr0. I did leave the test db but it is password protected. My server is offline at the moment, I'm trying to do an overhaul on it for security.