[Wylug-discuss] 777 access on an images directory
Mark P. Conmy
mpc at comp.leeds.ac.uk
Fri Oct 12 17:36:43 BST 2007
On Fri, 12 Oct 2007, Phil Driscoll wrote:
> On Friday 12 Oct 2007, Mike Goodman wrote:
>> Phil Driscoll wrote:
>>> The 777/execution bit was not the issue I was warning you about. The
>>> problem is that the application allows upload of files into a directory
>>> which is served up by the web server.
>>
>> But isn't that then the case for any directory containing files served
>> up by the web server? Sorry to be thick, but isn't it the permissions
>> which control who can upload files?
>
> Yes the permissions control which users can write files to a directory, but
> under normal circumstances, there would be no mechanism in place for external
> users to upload files to a web directory. However in this instance, the php
> script provides an upload form to allow files to be uploaded and written to a
> directory which is then served up by the web server. In a securely designed
> application, the web server would never have permission to write files into a
> directory that it made directly available by http.
PHP doesn't need uploaded files to be dangerous.
Ftp can be isolated and (if necessary) on a "noexec,nosuid" mounted
partition. There are, however so many ways to be nasty, there isn't a
10 step program to security.
I'm happy to elaborate face to face, but I don't like putting ideas in
writing when "bad guys" might be reading the archive. ;-)
Mark
More information about the Wylug-discuss
mailing list