|
|
Posted by Bob Bedford on 07/03/07 11:52
Hi Lars, thanks for replying
>> what do I risk ?
>
> Essentially your server and all the data you have on it and your
> reputation
> if your server is compromised in such a way as to produce an annoyance on
> the internet.
>
>> my ftp doesn't have any guest access !
>
> If the httpd files are 644, anyone, even ftp running as nobody (i.e. the
> least privileged user) can read them. Your program using ftp can read the
> files, modify them, and write them to a place where it does have write
> privileges. You shouldn't be serving raw uploads anyway. The problem is:
> if you can write these files via anonymous ftp, so can anyone else.
No, anonymous access to FTP is disabled. So no risk I think
Anyway 644 doesn't allow me to write on it, as with my program I'm not
httpd....so I'm stuck. As I understand, for having the right to write on
this dir I must set 664 instead of 777, this way I may read and write to the
directory. If not, I've to set to 666, keeping in mind there is no access to
anonymous, I should be ok ??? could you please confirm this ?
> Files should be sanitized, resized, and moved by the php that handles the
> POST data.
As it's a mutualized server, big images (more than 4mio pixels, quite common
those days) can't be resized in the PHP script due to the memory limit,
that's why I do it using a ftp connection in my own program (compiled
program).
>> Also joker question: what does "execute" mode mean ?
>
> It means it is allowable for the file to be executed as a program, and if
> you do not see why this is a bad idea for uploaded files, you need to get
> out of the computer business. For some servers (i.e. apache), the execute
> bit is used to indicate that the file should be parsed for server-side
> includes when it is being served. At the very best this is a waste of the
> server's time if the file is an image which naturally should not contain
> any
> server instructions. At worst, it would allow malicious server
> instructions
> in an image file to be executed. Don't set the execute bit on any file
> that
> should not contain SSIs.
Execute isn't set for images dir, that's ok.
Thanks for helping.
Navigation:
[Reply to this message]
|