File Upload, Delete and Write Permissions

Forum Moderators: coopster

Message Too Old, No Replies

File Upload, Delete and Write Permissions

Security Issues?

Murdoch

7:19 pm on Apr 3, 2008 (gmt 0)

I've heard a lot of people say that in order to upload and delete (unlink) files I have to set my write permissions to 777 (which I have) but isn't that a bit unsecure? Couldn't anyone potentially upload or delete files from my directory this way? I'm guessing that there is a security measure in place not to allow this kind of access from outside the site but isn't 777 allowing anyone to do anything?

Thanks
-Doc

mikhaill

12:24 am on Apr 4, 2008 (gmt 0)

Some of the things I've done to minimize such issues

a) Create only one directory that is writeable and make sure its not reachable from the web (diff server folder, not under docroot)

b) Don't 777 but just give apache group permission to write to it (chown apache.apache foldername)

c) Filter file extensions on upload. Have your upload form only accept certain file extensions and block everything else from being uploaded. Look out for null bytes in file extensions when checking.

Murdoch

2:01 am on Apr 4, 2008 (gmt 0)

I definitely follow rule c), I'm probably overdoing it with preg_replace/match already, regardless of the form.

I'll have to look into the apache permissions. Problem is we have a whole server full of virtual domains but I'm only allowed to work on one particular group (and I'm using Cpanel) so I'm limited in what I have available to me.

Thanks for the tips.