1

Usually, I try to set my folders to have permission 775, but some web-hosting refuses to let PHP writes or move files to any folders unless it has permission 777 (it may be open_dir or safe mode).

Are there any ways to prevent any PHP files from being ran from such folders, in case a malicious PHP script has been uploaded there?

Charles
  • 50,943
  • 13
  • 104
  • 142
Extrakun
  • 19,057
  • 21
  • 82
  • 129
  • 1
    Folders with 777 permissions are inexcusably dangerous. Find a different web host. – Greg Hewgill Feb 25 '10 at 18:31
  • Sometimes when free-lancing, clients will insist on getting their own webhost and turns up with one that has such 'limitations'. If I could, I would ditch those webhosts in a heartbeat! – Extrakun Feb 25 '10 at 18:47
  • 1
    @Greg Maybe a stupid question, but how exactly is a 777 folder more dangerous than a 755 one? Is it because other users on the server could execute PHP files in it, or is there some greater danger I do not see? Because to be run from the outside through the web server, any permission would do, wouldn't it? – Pekka Feb 25 '10 at 19:06
  • @Pekka: For examples, see http://serverfault.com/questions/105773/code-injected-inside-php-file-with-777-permission or http://stackoverflow.com/questions/1577514/is-setting-the-uploads-folder-777-permision-secure – Greg Hewgill Feb 25 '10 at 19:09
  • @Greg cheers, but I still don't get around how somebody could write into such a folder from the outside. It's not that I doubt there is danger - I follow the principle of granting as little rights as possible - but I would like to understand it. I think I'll open a new question later. – Pekka Feb 25 '10 at 19:14
  • If you do files upload, and the validation for file types is weak or is bypassed, someone could upload a php file to it. – Extrakun Feb 26 '10 at 09:40

4 Answers4

6

Folders with 777 permissions are inexcusably dangerous. Find a different web host

Actually, find a different host if your host does NOT require 777 for it to be writeable. In truth, if PHP scripts can write to a folder that is 755 (suexec, suPHP), that's effectively the same as having ALL folders 777. So what you want, for security, is a host who requires 777 in order to make the folder writeable.

Think about it this way - almost all folders are 755 by default. If scripts can write to 755 folders, that means any script can write to any folder!

If scripts can write only to 777 folders, that means that can only write to the folders they are supposed to. If you're going to allow writes to all directories, they may as well ALL be 777, so that's what's inexcusably dangerous.

Just the opinion of one licensed security professional with fifteen years of experience.

Ray
  • 79
  • 1
  • 2
  • This is dangerous. Please see [this post](https://stackoverflow.com/questions/2338641/in-a-php-apache-linux-context-why-exactly-is-chmod-777-dangerous). Edit: Formatting – Ege F Nov 18 '19 at 07:12
2

Are there any ways to prevent any PHP files from being ran from such folders, in case a malicious PHP script has been uploaded there?

You could disable PHP for that directory. See this answer.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
0

Disable Script Execution You can also try to disabled script execution on the uploaded folder where all the files go. You can do this by writing a .htacess file on the folder.

AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

Options -ExecCGI

Alireza Zahedi
  • 1
0

Ray's comment doesn't make sense. A licensed security professional? Scripts that are created by owner should be able to write to 755 folders! See http://www.zzee.com/solutions/linux-permissions.shtml too!

And the answer to the original question... It's easy. using php_value auto_prepend_file within .htaccess will do it. Just create a simple script that terminates [die() function], define it within .htaccess; each PHP script called from such a directory will not be executed. You can even configure that "kill" script to email you each time something suspicious happens (when something is trying to call PHP scripts from the "protected" directory).

Jan
  • 1