Results 1 to 2 of 2
  1. #1
    Join Date
    Jun 2000
    Posts
    86

    Shared hosting: on image galleries and hacking

    Greetings All !

    There's a particular image gallery system I've been using on some of my websites.

    A few months back, one site's copy got hacked. The way they appear to have done it is basically that they uploaded several non-image files, and then executed them (possibly by just pointing their browsers to the gallery's temporary image holding folder).

    My host threw a fit and pointed out that those holding directories were set to 777. They adjusted permissions accordingly. I checked the gallery's settings and discovered there was a field where you could put in a list of file extensions that users would be allowed to upload. It was filled out with some of the file-extensions I had seen uploaded. I removed that and just set it to .jpg, .gif, and .png.

    Now, yesterday, some folks whose site I manage asked me about allowing them to upload images to their own copy of this gallery. To make a long story short: I checked the documentation of this image gallery software and they actually recommend that both the temporary image holding folder and the more-permanent folders they get moved to chmod'd to 777 !!

    Isn't that a bit crazy ??

    I did a quick bit of googling and discovered that the reason they want those folders like this has something to do with whatever user the Apache web server is running as?

    So, for a while, I thought maybe the 777's and whatever user those folders are set to is a security risk.

    But then I thought to myself, even if those were set differently (say, 711), the image gallery system is STILL suppossed to allow registered users to upload files. So files will still get written. So maybe the big problem WAS that list of allowed file extensions ??

    Note that I'm focusing on the hacker using a web browser to try to find an exploit in the image gallery software.

    I'm aware that if the hacker were to get FTP, telnet, or some other access to the box, then ownership and chmod of the files would become critically important.

    So I guess I'm thinking to myself that this must be an issue that all PHP image gallery software authors and admins run into. And I want to get a better understanding of how to allow users to upload images but still prevent the hackers from exploiting the image uploading system.


    Thanks!

    -= Dave =-

  2. #2
    Join Date
    Aug 2003
    Location
    Dallas, TX USA
    Posts
    2,812
    This should be posted in the Technical & Security Issuesforum..

    Anyway, this isn't a new issue, yet it's still so common. You've already done an important part by restricting the mime-types and file extensions. You don't want to allow the directory executable permissions (so setting it to 777 is not good.) Depending on the software, you want to have the script rename the upload files to some random name.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •