Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > .htaccess security (777) for form uploads


.htaccess security (777) for form uploads




Posted by Lelldorianx, 07-20-2010, 04:50 PM
Hi. I'm adding a new forms component to my website. The forms need to allow uploading from users (pdfs, zips, jpgs, etc), and when I installed the form component, it informed me that I need to chmod an /upload directory to 0777. From reading online, just any old 777 is very insecure. I was hoping to get some information on exactly what cide I need to put in my .htaccess file to ensure only particular filetypes are secure to be uploaded (i.e., absolutely no php should be allowed, for obvious reasons). Additionally... what file types are considered safe for 777? Will any of the above suggestions potentially pose a threat to my site (pdf, zip, jpg, doc, xls)? Thanks!!
Posted by OLM | DavidG, 07-20-2010, 05:03 PM
You may not need to give the uploads directory 777 permissions, and this is indeed a very insecure practice. Depending on the web server configuration, your scripts may be executing as your site's user id, as is the case with servers using suphp. Do you know which user id your scripts execute as?
Posted by Lelldorianx, 07-20-2010, 05:13 PM
I just checked the component's website, it doesn't seem to be anywhere obvious. I can email the developer and ask. I did notice that some people on the forums were discussing the use of 755 instead... not sure if that tells you anything. I am going to email the developer and post on their forums to see if I get a response regarding the userid. They already made it pretty clear that they will not help with creating an .htaccess file (probably don't want to be held accountable for any security holds), so I will have to return here for help with that (if that's OK). edit.: after reading more closely, I noticed that you said this depends on my server config. Should I be asking my webhost instead? Last edited by Lelldorianx; 07-20-2010 at 05:18 PM.
Posted by OLM | DavidG, 07-20-2010, 05:18 PM
Is this component written in PHP? If so, you can place a simple test file on your site, and then call it via a web browser, in order to determine which user id your scripts are executing as. For example (assuming that the "system()" function is not disabled on the server):
Posted by Lelldorianx, 07-20-2010, 05:51 PM
Yep, it's written in php. Just place any file on the site, in any folder? Once I place it on the site and browse to it using my web browser, what do I need to do in order to see how it executes? Thanks!
Posted by OLM | DavidG, 07-20-2010, 05:55 PM
Yes you can name this test php file anything you would like, as long as it has the .php file extension. When you open the script in your web browser, it should produce a line of text, which includes the user name and user id (uid) that the script executes as. Once you have this output, please paste it into this thread. There is a chance that the PHP system() call is disabled on the server, and the basic script that I provided will not work. In that case, the script may produce no output at all.
Posted by Lelldorianx, 07-20-2010, 06:31 PM
I think it worked, here's the output: uid=6233653(u53481410) gid=600(ftpusers) Note: I'm going to be offline for a few hours... there's a big storm coming!
Posted by OLM | DavidG, 07-20-2010, 06:36 PM
That's certainly an odd uid if you ask me, but it looks like a unique user id which would be associated with your site (as opposed to a generic user such as "apache"). Assuming that your site's files/directories are owned by the same user/uid, the PHP application that you plan to use should work fine with the "upload" directory configured with standard permissions (no 777).
Posted by Lelldorianx, 07-20-2010, 07:12 PM
Awesome! I guess the best way to figure out is just to try the application without any modifications then. I'll do that after this storm passes and let you know the results. Thanks again!
Posted by Lelldorianx, 07-21-2010, 10:25 PM
Yep, it works! Thanks!
Posted by Loyal, 07-22-2010, 07:46 AM
Just chmod it 755 and it will work. Or if there is an option to put the upload dir outside your www/ this will be much better as well. Also you can try to add the following to your .htaccess: RemoveType .php .php3 .phtml .pl .cgi .shtml .phtml *.php.*


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Degraded RAID Status - Third Time? (Views: 728)
Windows PE connecting remotely. (Views: 733)
Screen Resolution issue (Views: 696)
Help desk problem (Views: 717)
Does suPHP make a single site server less secure? (Views: 781)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.