Page 1 of 1

chmoding for php scripts

Posted: Sun Sep 10, 2006 6:23 am
by Destiny
Hey all,

I have a problem. I have a php script which reads images, creates thumbnails and puts them in a separate directory, and which reads and writes configuration and template files. For the script to be able to read and write them, I haven't found any other way but chmoding the files and the directory where it puts the thumbnails to 707.
I have searched a lot of chmoding tutorials, but I didn't really find an answer whether chmoding to 707 is a big security issue (as I have heard) or whether it isn't.
One of the users of my script suddenly found an evil file in his thumbnails directory which basically allowed the hacker to do everything he wanted with the server, read contents of php files (like the one were the database username and password is stores) etc. If it has something to do with chmoding the directory to 707, then how can I avoid this?
Furthermore, as I have said, the database configuration is stored in a file which is chmoded to 707 (so the installation script can write the info to it) - now is it possible for hackers to somehow retrieve the content of the file?

Thanks for any advice!

Posted: Sun Sep 10, 2006 7:45 am
by feyd
Here's a thread from this year regarding chmod and 777. While not 707, the same information applies. viewtopic.php?t=44095

As for possible alternatives, you could use the FTP functions (if enabled) to write the files under a user account.

http://php.net/ref.ftp

Posted: Sun Sep 10, 2006 9:18 am
by Destiny
thanks, that's an interesting thread, and sorry I didn't search before to dig this topic up myself...