Furry stuff, oekaki stuff, and other stuff.
You are not logged in.
Hey there,
I've been having some trouble with my site today (apparently a spammer decided to target all the folders on my server that were chmodded to 777, and upload a .htaccess and malicious type php file in those directories). It wasn't just the oekaki, it was my whole site - just 777 chmodded directories. I know that 777 is really quite risky, because it can be read and written to by anyone, so I'm feeling a little stumped.
The pictures folder needs to be chmodded 777 to work on my site. I'm worried that it will happen again If I chmod it back. I currently have decided to disable it by chmodding it 755. Is there anyway to protect the pictures directory - security wise? Or limit what can be uploaded to it? If not, will that perhaps be a future consideration?
It's been one of those days.
All the best,
Lemm.
Offline
Are you sure you can't use 765 or 775? The last digit controls public permissions, while the middle digit handles group permissions (you, your FTP login, PHP, other server scripts, etc.)
So long as the group permissions are high enough, it should work. I've never heard of a server that needs 777 to function, though it is farily common for 755 not to work.
.htaccess files are nifty, but they only control how the Apache web server handles files. PHP is restricted only to your "public_html" folder, and Perl can do pretty much whatever it wants (there is no Perl code in Wacintaki). If there's a security hole in a script, it will typically be able to invade the whole server (or, your own account). Unfortunately, UNIX wasn't designed to quarantine folder access except through groups. You either belong to the same group as the owner, or you don't.
Is there anyway to protect the pictures directory - security wise? Or limit what can be uploaded to it?
Not really, unless you have administration abilities on the server itself and know a bit about UNIX/Linux.
Wacintaki doesn't allow files to be uploaded with specific names, and also checks images headers to make sure they are valid image files, and not data. If you're concerned about hacks getting into your board through the banner or notice (which allows PHP code), open up your hacks.php file and change define ('DISABLE_PHP_RESOURCE', 0); to define ('DISABLE_PHP_RESOURCE', 1);. This will prevent any PHP code from being inserted into the board. I find it unlikely that the resource files are a security threat unless you have an admin who is using PHP in the notice/banner/rules/etc.
PS - Great avatar.
Offline
Ah thanks alot - I'll try those other chmods out.
I don't know what happened yesterday - I think I did have some folders that were chmodded 777 (doh) because I didn't know better at the time. It's funny how much is learnt when something goes wrong.
Thanks Waccoon.
Offline
As a Windows user, I was pretty much clueless as to UNIX security until I started uploading my scripts to my own web site, and watched in horror as things blew up all over the place. I don't really like the way that UNIX does things, but, I've learned to live with it.
Offline