Writeable php files getting hacked

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

Writeable php files getting hacked

Post by Mr Tech »

I have some clients who have some writeable (0777) files on their website. Somehow people are hacking in and adding invisible iframes to the last line of the writeable files.

1. How do they do this?
2. How do I combat it but also leave the files writeable? Will chmoding them 0666 do the tick?

Thanks for your input!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Is it a shared server? That's how.

Having it set to 6 or 7 for the owner (creator) is all that's needed if you have PHP generate the file, however the PHP file may be helping them write arbitrary information to it. I would recommend having the data stored in a database though.
User avatar
Mr Tech
Forum Contributor
Posts: 424
Joined: Tue Aug 10, 2004 3:08 am

Post by Mr Tech »

So if I set the files to 744, it would stop this from happening?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If PHP created it, you shouldn't need any bits set on any of the other permissions apart from owner.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

This topic placed I would like to point my similar question too.
Why exactly is it bad to have apache(the user apache runs with) writable directory under webroot?
Is this a problem of only shared hosting - someone could create/copy script in your webroot and execute?
File upload attacks possible? or what?
Or there are more tricks into that.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

jmut wrote:This topic placed I would like to point my similar question too.
Why exactly is it bad to have apache(the user apache runs with) writable directory under webroot?
Is this a problem of only shared hosting - someone could create/copy script in your webroot and execute?
File upload attacks possible? or what?
Or there are more tricks into that.
Those are the simple holes created on shared hosts if they did not configure their servers well. Upload attacks are possible if you didn't set up the directory or code correctly. The former is mostly up to your host, the latter is entirely your problem. :)
Post Reply