|
Posted by bobzimuta on 04/05/06 03:21
Are you allowing your web server write permissions to the folder?
Assuming the webserver runs as 'nobody' .
755 with ownership nobody, nobody . Otherwise you'll need
775 with ownership frizzle, nobody
frizzle wrote:
> Gary L. Burnore wrote:
> > On 4 Apr 2006 15:10:39 -0700, "frizzle" <phpfrizzle@gmail.com> wrote:
> >
> > >Hi,
> > >
> > >I am at the base of an FTP thingy i'm building, and i noticed that
> > >it would only work if i chmod the folder 777, i thought to remember
> > >correctly that previously on another site chmod 744 was enough,
> > >now it isn't.
> > >Am i mistaking, and should it always be 777 ? And isn't a chmodded
> > >777 folder much more vulnerable?
> >
> >
> > Most definitely more vulnerable.
> >
> >
> > You want 755, not 744. You need the x bit set. It should look like
> > this:
> >
> > drwxr-xr-x ... ...
> >
> >
> > The x on a directory means search, not execute. If you can't search
> > the directory, you can't read the files in it.
> >
> > If you want people to be able to find the files but not list the
> > directory when they're on the server, you can set the directory as 711
> > which would look like:
> >
> > drwx--x--x ... ...
> >
> >
> >
> > >Frizzle.
> > >
> > >
> > >Code sofar below:
> > >
> > >
> > >++++++++++++++++++++++++++
> > ><?php
> > >
> > > require_once('../inc/globals.php');
> > >
> > > if( isset( $_FILES['image'] ) ){
> > >
> > >$ftp_conn = @ftp_connect( $default_ftp_server )or
> > >die('<b>Error!</b>');
> > >@ftp_login( $ftp_conn, $default_ftp_user, $default_ftp_pass )or
> > >die('<bError!</b>');
> > >
> > >$uploaddir = '../items/';
> > >$uploadfile = $uploaddir . basename( $_FILES['image']['name'] );
> > >
> > >if ( move_uploaded_file( $_FILES['image']['tmp_name'], $uploadfile ) ){
> > > echo "File is valid, and was successfully uploaded.";
> > >} else {
> > > echo "Possible file upload attack!";
> > >};
> > >
> > >ftp_close( $ftp_conn );
> > >
> > >};
> > >
> > >?>
> > ><form action="<?php echo $PHP_SELF; ?>" method="post"
> > >enctype="multipart/form-data" name="images" target="_top" id="images"
> > >class="form">
> > > <input name="image" type="file" id="image">
> > > <br>
> > > <input type="submit" name="upload" id="upload" value="Upload">
> > > <input name="cancel" type="button" id="cancel" value="Cancel"
> > >onClick="javascript:history.go(-1) ">
> > ></form><?php
> > >
> > > if (is_dir($uploaddir)) {
> > > if ($dh = opendir($uploaddir)) {
> > > while (($file = readdir($dh)) !== false) {
> > > if ($file !== '..' && $file !== '.') echo "filename: $file :
> > >filetype: " . filetype($uploaddir . $file) . "<br>\r\n";
> > > }
> > > closedir($dh);
> > > }
> > > };
> > >
> > >?>
> > >----------------------------------------------------
> > --
> > gburnore at DataBasix dot Com
> > ---------------------------------------------------------------------------
> > How you look depends on where you go.
> > ---------------------------------------------------------------------------
> > Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
> > | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
> > Official .sig, Accept no substitutes. | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
> > | ÝÛ 0 1 7 2 3 / Ý³Þ 3 7 4 9 3 0 Û³
> > Black Helicopter Repair Services, Ltd.| Official Proof of Purchase
> > ===========================================================================
>
> Hmm, i still get an error; i chmodded both the destination folder AND
> the executing script-file 755.
>
> Warning: move_uploaded_file(../items/bg.jpg): failed to open stream:
> Permission denied in
> /home/httpd/vhosts/domain.com/httpdocs/new/admin/ftptest.php on line 15
>
> Read mode Write mode Execute/search mode
> Owner + + +
> Group + - +
> Others + - +
>
> Frizzle.
Navigation:
[Reply to this message]
|