Security concerns with uploading files and images [XOOPS general usage questions]

Security concerns with uploading files and images

2006/7/28 0:03
DJDrD
Just popping in
Posts: 18
Since: 2006/7/26

Hello,

I recently added the xcGallery and myAlbum-P modules to my XOOPS installation.

I notice that the image upload directories need to be world writeable, i.e. 777. This seems very insecure.

Why is this very open permission set required?
Is there a way around it?

A little while ago I installed a small php/mysql image gallery taken from a PC magazine tutorial (not an XOOPS module) that did not require such open permissions on the upload directory, rather teh ability to uplaod was limited by other security features in the software. Perhaps the uploads were performed by the daemon (I may be wrong, though), which meant that the directory access could be limited.

Any thoughts and assistance woudl be welcome.

kind regards,
DJDrD

Re: Security concerns with uploading files and images

2006/7/28 1:13
ghettonet
Not too shy to talk
Posts: 176
Since: 2005/12/4

hm. well, the directory does have to be writable, obviously, and has to be readable and traversable (executable). Having a directory chmodded to 777 isn't a security risk per se, it depends on alot of other things. One is the umask of the user that is running the script - if the umask is set to write the files as 755, someone could execute the script (in a default Apache environment, Apache won't execute scripts chmodded to 777, or obviously, 766 because it isn't executable). So if the umask of the user running the uploader script writes the files as 700 (or even 777, although that wouldn't be cool), you're fine. Scripts should always be security consious, but you should never depend on their security.

I guess in short, it's not insecure if your Apache environment is setup securely, although I'm sure there are other users that are much better than me to explain better).

As for ways around it, run ClamAV on your server, maybe run a simple bash script to chmod all the pics in the directory to a more secure level. Run Bastille. Defintly use the security module for Xoops! That will help a lot.

GhettoNET Development - That's how we roll.

Re: Security concerns with uploading files and images

2006/7/28 4:06
DJDrD
Just popping in
Posts: 18
Since: 2006/7/26

Thank you, ghettonet, for your reply.

After reading your email I delved more deeply into the directory/file permissions and umask and did in fact see that subdirectories are set to 755 and files to 644.

I will also re-read the security tips and Tricks document and finish installing the security module.

thanks,
DJDrD

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Security concerns with uploading files and images

Re: Security concerns with uploading files and images

Re: Security concerns with uploading files and images

Login

Search

Recent Posts

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}