/    Sign up×
Community /Pin to ProfileBookmark

PHP upload and directory access

Copy linkTweet thisAlerts:
Aug 04.2005

I am frustrated, this problem is over my head – need help!

A client had directory permissions set to 777 on a particular directory because they are using a PHP upload script. Although the PHP script sat in seperate protected directory, we discovered that an unknown someone had placed a .php file in that unprotected directory. That script was written to send specific server variables through the url to a server in Russia.

My questions are as follows:
How can I protect the directory against outside access when the permissions must be set at 777 so the desired PHP upload script has access? (.htaccess ?)
How did this person locate the directory in the first place?
How did he/she upload the file being as the upload script was coded to allow only specific extensions through?
How did he/she upload the file being as the upload script was placed in a protected directory?

Thanks in advance.

to post a comment
PHP

9 Comments(s)

Copy linkTweet thisAlerts:
@bokehAug 04.2005 — Directory permissions is just an additional line of defence but even when your directory is set to 0777 nobody is able to upload anything unless your server or php scripts are letting them. You need to go through your log file and find out how that file was uploaded and then close that gapping hole in your security set up.
Copy linkTweet thisAlerts:
@ATBSauthorAug 04.2005 — Thanks.

I thought we were reasonably tight with security.

It is a shared server, so I do not have direct access to the logs. I suppose I could request them.

Being as it's a shared server, I wonder whether this was done by another user on the server.
Copy linkTweet thisAlerts:
@bokehAug 04.2005 — Well it may not be another user but it may have been using one of their scripts though. First place to start looking though is your own scripts as you are in control of this. Also even if it is a shared server each user should have their own log file.

Another idea, maybe, is change permissions on the directory to 0777 for the file write and then back to something safer afterwards. That is if your server is set to allow PHP to do this.
Copy linkTweet thisAlerts:
@ATBSauthorAug 04.2005 — I checked the log file from the create date of the script and didn't see anything out of the ordinary.

I am not sure what to look for though?
Copy linkTweet thisAlerts:
@bokehAug 04.2005 — Well that depends. On my server if a file is uploaded I have PHP write that info to the apache log using apache_note along with any other relevant info like sending emails etc. If you are just using a default log the only thing that may show something dodgy is a peculiar query string.
Copy linkTweet thisAlerts:
@ATBSauthorAug 05.2005 — Thanks for your help.

Isn't it true that query info will not show in the log because I am using post not get?

I will have to rethink my strategy and add comments to the log, as you indicated - thanks.
Copy linkTweet thisAlerts:
@bokehAug 05.2005 — What method [B]you[/B] are using is not very relevant as it is the [B]hacker [/B]deciding on the method. Secondly after some thought I would presume the weak link is the upload script your client is running rather than that of another user but I could be wrong. Also if you chose, it would be simple to save post data in the log although I don't see the point.

What I would add to the log is info about uploads. You could add a field showing keys from the $_FILES array.
Copy linkTweet thisAlerts:
@ATBSauthorAug 05.2005 — Call me thick and slow, I still don't get how it was found and compromised in the first place.

How do I learn more about the methods of compromising a server/scripts so as to guard against them?

It seems as though I have to study the http protocol in depth...
Copy linkTweet thisAlerts:
@bokehAug 05.2005 — Could I see the script?
×

Success!

Help @ATBS spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...