chmoding for php scripts
Posted: Sun Sep 10, 2006 6:23 am
Hey all,
I have a problem. I have a php script which reads images, creates thumbnails and puts them in a separate directory, and which reads and writes configuration and template files. For the script to be able to read and write them, I haven't found any other way but chmoding the files and the directory where it puts the thumbnails to 707.
I have searched a lot of chmoding tutorials, but I didn't really find an answer whether chmoding to 707 is a big security issue (as I have heard) or whether it isn't.
One of the users of my script suddenly found an evil file in his thumbnails directory which basically allowed the hacker to do everything he wanted with the server, read contents of php files (like the one were the database username and password is stores) etc. If it has something to do with chmoding the directory to 707, then how can I avoid this?
Furthermore, as I have said, the database configuration is stored in a file which is chmoded to 707 (so the installation script can write the info to it) - now is it possible for hackers to somehow retrieve the content of the file?
Thanks for any advice!
I have a problem. I have a php script which reads images, creates thumbnails and puts them in a separate directory, and which reads and writes configuration and template files. For the script to be able to read and write them, I haven't found any other way but chmoding the files and the directory where it puts the thumbnails to 707.
I have searched a lot of chmoding tutorials, but I didn't really find an answer whether chmoding to 707 is a big security issue (as I have heard) or whether it isn't.
One of the users of my script suddenly found an evil file in his thumbnails directory which basically allowed the hacker to do everything he wanted with the server, read contents of php files (like the one were the database username and password is stores) etc. If it has something to do with chmoding the directory to 707, then how can I avoid this?
Furthermore, as I have said, the database configuration is stored in a file which is chmoded to 707 (so the installation script can write the info to it) - now is it possible for hackers to somehow retrieve the content of the file?
Thanks for any advice!