I have a site that allows a system administrator to upload files via a password protected web interface. The directory where the files are being upload has permissions of 777 - recently, somebody has uploaded a php mail script into this directory in an attempt to use the server to send out spam (it doesn't look like they got into the administration panel to upload these files, that seems secure).
What permissions should I be using on this directory to ensure that this doesn't happen in the future - These user uploaded files still need to be accessible via the web site.
Also, is there an easy way to find all the directories on the server that have permissions set as 777 and change them without doing it all manually?
Thanks!
Full Version: directory permissions / php file upload secuirty
QUOTE (kirkmiesle)
Also, is there an easy way to find all the directories on the server that have permissions set as 777 and change them without doing it all manually?
find / -perm 777 > output.txt
I believe that will do it for you
. Granted that will list all files and folders permissioned 777, but will give you a good idea of what has those permissions. Hope that helps.
As far as changing them all, you need to know what you are doing, you dont want to change something like /tmp and not allow the server to write to it. Somethings can be alternativly set as 700, to prevent "nobody" from writing to them.
I suggest compiling php with phpsuexec.
Mod_security will also help prevent visitors from uploading malicious data via your web server.
Mod_security will also help prevent visitors from uploading malicious data via your web server.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.