Results 1 to 9 of 9
  1. #1

    Thumbs up Prevent PHP files used for file uploading

    Hey,

    It appears that some people like to take advantage of those files for online web applications such as Wordpress which have php files with permissions set to 777. They use those as a means of creating an upload file. The upload files that they create then have access to the whole server somehow... Is there anyway of preventing this from happening?

  2. #2
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Give a look into suPHP. http://www.suphp.org/Home.html

  3. #3
    Join Date
    Jun 2009
    Location
    Kochi,India
    Posts
    177
    First of all run your apache as suphp, that will allow your files to run with permission 755 rather than 777. Also disable "file_uploads = On" in your php.in for the time being. You can find your php.ini file in /usr/local/lib/php.ini
    Ezeelogin -
    The ultimate multiple server administration software.
    *Parallel shell *rm -rf protection *SSH logging*automated password changes*encrypted storage*
    AdMod.com -Delivering innovative web hosting solutions

  4. #4
    Join Date
    Sep 2003
    Location
    Chicago, IL
    Posts
    164
    Well any open 777 folder that is accessible by apache can be written too even externally. Thats the problem with World Writable. How are they taking over the server though?
    eSited LLC - Dedicated Servers, VPS, Managed Hosting
    Nullivex LLC - Web Services, PHP Development, System administration.
    █ Visit http://www.esited.com/ or Email contact[at]nullivex.com

  5. #5
    You can use 775 permissions for wordpress.

    This will give permissions for users and group but not others.

    Not necessary 777.

    This will resolve your issue.


    Thank you

  6. #6
    Set "file_uploads = off" in your php.ini file

  7. #7
    When you say users, that means any execution done from an account on the server?

  8. #8
    Join Date
    Sep 2003
    Location
    Chicago, IL
    Posts
    164
    Any application that allows file uploads could be dangerous.

    Cant you disable the ability to upload through the application as a starting point to?

    Sorry Im not that familiar with WordPress.
    eSited LLC - Dedicated Servers, VPS, Managed Hosting
    Nullivex LLC - Web Services, PHP Development, System administration.
    █ Visit http://www.esited.com/ or Email contact[at]nullivex.com

  9. #9
    To upload files via Wordpress, you'll have to put in your FTP information.
    However, you can easily edit files through Wordpress. And if the files permissions are set to 777, any body can modify the Wordpress files to make a gateway to the server.

Similar Threads

  1. Replies: 2
    Last Post: 04-13-2009, 12:43 PM
  2. Someone is uploading files
    By i_lasiene in forum Hosting Security and Technology
    Replies: 13
    Last Post: 08-22-2008, 01:14 PM
  3. Uploading MP3 Files
    By SteRaL in forum Hosting Security and Technology
    Replies: 22
    Last Post: 03-02-2004, 06:46 PM
  4. Whose uploading files?
    By SPaReK in forum Hosting Security and Technology
    Replies: 3
    Last Post: 07-07-2003, 11:42 AM
  5. prevent "group.group" with file uploading
    By valentijnb in forum Hosting Security and Technology
    Replies: 14
    Last Post: 07-05-2003, 12:03 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •