Posted by Gary L. Burnore on 04/05/06 01:24

On 4 Apr 2006 15:10:39 -0700, "frizzle" <phpfrizzle@gmail.com> wrote:

>Hi,
>
>I am at the base of an FTP thingy i'm building, and i noticed that
>it would only work if i chmod the folder 777, i thought to remember
>correctly that previously on another site chmod 744 was enough,
>now it isn't.
>Am i mistaking, and should it always be 777 ? And isn't a chmodded
>777 folder much more vulnerable?


Most definitely more vulnerable.


You want 755, not 744. You need the x bit set. It should look like
this:

drwxr-xr-x ... ...


The x on a directory means search, not execute. If you can't search
the directory, you can't read the files in it.

If you want people to be able to find the files but not list the
directory when they're on the server, you can set the directory as 711
which would look like:

drwx--x--x ... ...



>Frizzle.
>
>
>Code sofar below:
>
>
>++++++++++++++++++++++++++
><?php
>
> require_once('../inc/globals.php');
>
> if( isset( $_FILES['image'] ) ){
>
>$ftp_conn = @ftp_connect( $default_ftp_server )or
>die('<b>Error!</b>');
>@ftp_login( $ftp_conn, $default_ftp_user, $default_ftp_pass )or
>die('<bError!</b>');
>
>$uploaddir = '../items/';
>$uploadfile = $uploaddir . basename( $_FILES['image']['name'] );
>
>if ( move_uploaded_file( $_FILES['image']['tmp_name'], $uploadfile ) ){
> echo "File is valid, and was successfully uploaded.";
>} else {
> echo "Possible file upload attack!";
>};
>
>ftp_close( $ftp_conn );
>
>};
>
>?>
><form action="<?php echo $PHP_SELF; ?>" method="post"
>enctype="multipart/form-data" name="images" target="_top" id="images"
>class="form">
> <input name="image" type="file" id="image">
> <br>
> <input type="submit" name="upload" id="upload" value="Upload">
> <input name="cancel" type="button" id="cancel" value="Cancel"
>onClick="javascript:history.go(-1) ">
></form><?php
>
> if (is_dir($uploaddir)) {
> if ($dh = opendir($uploaddir)) {
> while (($file = readdir($dh)) !== false) {
> if ($file !== '..' && $file !== '.') echo "filename: $file :
>filetype: " . filetype($uploaddir . $file) . "<br>\r\n";
> }
> closedir($dh);
> }
> };
>
>?>
>----------------------------------------------------
--
gburnore at DataBasix dot Com
---------------------------------------------------------------------------
How you look depends on where you go.
---------------------------------------------------------------------------
Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
| ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
Official .sig, Accept no substitutes. | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
| ÝÛ 0 1 7 2 3 / Ý³Þ 3 7 4 9 3 0 Û³
Black Helicopter Repair Services, Ltd.| Official Proof of Purchase
===========================================================================

[Back to original message]