Re: [PHP] File Upload Security

2008-04-11 Thread Wolf 

Al wrote:
One of my sites has been hacked and I'm trying to find the hole.  The 
hack code creates dirs with "nobody" ownership, so it's obvious stuff is 
not via ftp [ownership would be foo]


Site is virtual host, Linux/Apache

I'm concerned about a file uploader my users use to upload photos.




First off, file type means NOTHING to people using uploaders. I have had 
a number of people try to hack my site with my uploader and they never 
succeed.


If you don't parse the first few lines of the file, you're probably 
gonna find yourself hacked again.  Depending on the size of the machine, 
you could just read the whole file and look for php somewhere in it, and 
if it exists, erase immediately.


image.php.gif.jpg would pass your test as far as checking extensions.

I have a number of the scripts used by others to try to hack my site 
available for download/review.  If you search the archives, you should 
find them.  If not, contact me directly and I'll send you the link to them.


HTH,
Wolf


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security

2008-04-11 Thread Bojan Tesanovic 

I would recommend something more strong
http://www.php.net/manual/en/function.exif-imagetype.php

or if you dont have exif
http://www.php.net/manual/en/function.getimagesize.php
will do also a trick.

One more thing, you are also allowing .txt and .css  which may be  
potential hole, as Apache can run .css also through PHP engine if  
configured to do so.
Sometimes I use PHP to process CSS so I can have dynamic CSS for some  
rare cases.







On Apr 12, 2008, at 2:24 AM, Al wrote:

One of my sites has been hacked and I'm trying to find the hole.   
The hack code creates dirs with "nobody" ownership, so it's obvious  
stuff is not via ftp [ownership would be foo]


Site is virtual host, Linux/Apache

I'm concerned about a file uploader my users use to upload photos.

Can anyone see a hole in this scrip? Can my code upload an  
executable masquerading as an image file?


$filetype = array("gif", "jpg", "jpeg", "png", "txt", css")

function csvt_file_upload($filetype, $max_size)
{
$prohibits = array("exe", "php", "inc", "php3", "pl", "bat",  
"cgi"); //common executables.

$absolute_max_size = 200;

end($_FILES); //get the "name" used by the html $name = key($_FILES); //could use the register variables, but  
this is safer.
if(isset($_FILES[$name]['name'])) $input_name = $_FILES[$name] 
['name'];


$error = "no"; //reset for error checks

if (!isset($filetype)) {
echo " File type assignment  
missing  ";

$error = "yes";
};

if (!isset($max_size)) {
echo " Max file size assignment  
missing.";

$error = "yes";
};

$filename = $_FILES[$name]['name'];
$tmp_name = $_FILES[$name]['tmp_name'];
$size = $_FILES[$name]['size'];

$absolute_path_file = getcwd(). DATA_DIR . $filename;


if (($size >= $max_size) OR ($size > $absolute_max_size)) {
echo " File size is too large. ";
$error = "yes";
}

$ext = substr(strrchr($filename, "."), 1); //get the extension,  
remove the "."

if (in_array($ext, $prohibits)) {
echo "Illegal file type,  
executable.\r\n";

$error = "yes";
}
if (is_executable($filename)) {
echo "Illegal file type, executable  
file.\r\n";

$error = "yes";
} //This is a double check in case $prohibits is incomplete.
if (is_array($filetype) AND !in_array($ext, $filetype)) {
echo "Illegal file type.\r\n";
$error = "yes";
}
if(!is_array($filetype) AND ($filetype != $ext)){
echo "Illegal file type.\r\n";
$error = "yes";
}
if ($error == "yes") {
echo "There was an error(s) with  
your file selection \"$input_name\" as the note(s) indicates.  
Please reselect, or remove your file selection and email for help.  
\r\n";

}
else {
if(!move_uploaded_file($tmp_name, $absolute_path_file))
		die("There was an error saving your file.  
Check permissions of " . DATA_DIR . " Must be 777 \r\n");


chmod($absolute_path_file, 0644);
}

return;
}

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Igor Jocic
http://www.carster.us/

Re: [PHP] File Upload Security

2008-04-11 Thread Al 



The hack puts this .htaccess in dozens of dirs
RewriteEngine On 

RewriteCond %{HTTP_REFERER} 
^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. 
[NC] 

RewriteCond %{HTTP_REFERER} 
[?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\= 



RewriteCond %{HTTP_REFERER} 
![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22) 



RewriteCond %{TIME_SEC} <59 

RewriteRule ^.*$ /StartLocs/maps/kapicag/ex3/t.htm [L] 
  # 
a995d2cc661fa72452472e9554b5520c


The kapicag/ex3/t.htm appears to be phishing site.



mike wrote:

How was it "hacked"?

That will help determine what kind of exploit might have been used.


On 4/11/08, Al <[EMAIL PROTECTED]> wrote:

One of my sites has been hacked and I'm trying to find the hole.  The hack
code creates dirs with "nobody" ownership, so it's obvious stuff is not via
ftp [ownership would be foo]


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security

2008-04-11 Thread mike 
How was it "hacked"?

That will help determine what kind of exploit might have been used.


On 4/11/08, Al <[EMAIL PROTECTED]> wrote:
> One of my sites has been hacked and I'm trying to find the hole.  The hack
> code creates dirs with "nobody" ownership, so it's obvious stuff is not via
> ftp [ownership would be foo]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] File Upload Security

2008-04-11 Thread Al 
One of my sites has been hacked and I'm trying to find the hole.  The hack code creates dirs with 
"nobody" ownership, so it's obvious stuff is not via ftp [ownership would be foo]


Site is virtual host, Linux/Apache

I'm concerned about a file uploader my users use to upload photos.

Can anyone see a hole in this scrip? Can my code upload an executable 
masquerading as an image file?

$filetype = array("gif", "jpg", "jpeg", "png", "txt", css")

function csvt_file_upload($filetype, $max_size)
{
$prohibits = array("exe", "php", "inc", "php3", "pl", "bat", "cgi"); 
//common executables.
$absolute_max_size = 200;

end($_FILES); //get the "name" used by the html  File type assignment missing  ";
$error = "yes";
};

if (!isset($max_size)) {
echo " Max file size assignment 
missing.";
$error = "yes";
};

$filename = $_FILES[$name]['name'];
$tmp_name = $_FILES[$name]['tmp_name'];
$size = $_FILES[$name]['size'];

$absolute_path_file = getcwd(). DATA_DIR . $filename;


if (($size >= $max_size) OR ($size > $absolute_max_size)) {
echo " File size is too large. ";
$error = "yes";
}

$ext = substr(strrchr($filename, "."), 1); //get the extension, remove the 
"."
if (in_array($ext, $prohibits)) {
echo "Illegal file type, executable.\r\n";
$error = "yes";
}
if (is_executable($filename)) {
echo "Illegal file type, executable 
file.\r\n";
$error = "yes";
} //This is a double check in case $prohibits is incomplete.
if (is_array($filetype) AND !in_array($ext, $filetype)) {
echo "Illegal file type.\r\n";
$error = "yes";
}
if(!is_array($filetype) AND ($filetype != $ext)){
echo "Illegal file type.\r\n";
$error = "yes";
}
if ($error == "yes") {
echo "There was an error(s) with your file selection \"$input_name\" 
as the note(s) indicates. Please reselect, or remove your file selection and email for help. \r\n";

}
else {
if(!move_uploaded_file($tmp_name, $absolute_path_file))
		die("There was an error saving your file. Check permissions of " . DATA_DIR 
. " Must be 777 \r\n");


chmod($absolute_path_file, 0644);
}

return;
}

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread Andy Hultgren 

Well, seeing as I have no directory anywhere in my file structure called
"/tmp" and yet my file uploads are still working, it would appear that my
temporary file upload directory "/tmp" given by php_info() is somewhere
outside of my root directory.  So that's good news!  That's were I'll be
doing my file checks anyway before moving any files into my root directory.

Anyway, at this point it looks like I need to buckle down and do some
thinkin'.  Thank you everyone for your advice, I really really appreciate
it!!  You guys have given me a really good foundation to start from on these
questions of site security, and I appreciate you taking the time to pass on
your expertise to a newcomer.

All the best,

Andy


On 9/27/06, Richard Lynch <[EMAIL PROTECTED]> wrote:


On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote:
> So I've been trying to figure out where php uploads files to
> temporarily
> store them before I move them to their permanent storage directory,
> and I'm
> having some difficulties:
>
> -- php_info() says the temporary file upload directory is "/tmp" but I
> don't
> know if that's relative to my root directory or what and can't figure
> out
> from the documentation how that path is displayed.

/tmp means the /tmp on the root of the hard drive, which your webhost
allegedly isn't letting you share...

HOWEVER:
It is entirely possible (nay, even likely) that they have you in a
ch-rooted environment where your "/tmp" is not somebody else's "/tmp"
so you'll just see "/tmp" and you don't have to worry about the fact
that it's not really really /tmp but somewhere else...

> -- I have tried to call pathinfo() and realpath() on my
> $_FILES['name']['tmp_name'] file before it is moved, but neither gives
> the
> full path to the file

If $_FILES['name']['tmp_name'] does already have the full path,
something is very wrong on your system...

Note that as soon as your upload-receiving script ends, the file is
deleted.

You *have* to use move_uploaded_file() on it in the upload-receiving
script to save the file somewhere else, or it's just gonna go away,
and you ain't gonna see it never again.

> Maybe I should have one of those disclaimers posted on my homepage
> like the
> ones that you see in taxis sometimes: "This driver never carries more
> than
> $20 cash."  -->  "This website never carries anyone's financial
> information."  :)

:-)

While there are obviously people "out there" who will just attack
randomly, (spammers) I honestly believe that a
valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a
much less likely target for an actual human attack.

I have absolutely zero evidence to support that claim, other than one
site that's been wide open to abuse for most of a decade, and only the
mindless spam-bots bother it... :-)

--
Like Music?
http://l-i-e.com/artists.htm

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread Richard Lynch 
On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote:
> So I've been trying to figure out where php uploads files to
> temporarily
> store them before I move them to their permanent storage directory,
> and I'm
> having some difficulties:
>
> -- php_info() says the temporary file upload directory is "/tmp" but I
> don't
> know if that's relative to my root directory or what and can't figure
> out
> from the documentation how that path is displayed.

/tmp means the /tmp on the root of the hard drive, which your webhost
allegedly isn't letting you share...

HOWEVER:
It is entirely possible (nay, even likely) that they have you in a
ch-rooted environment where your "/tmp" is not somebody else's "/tmp"
so you'll just see "/tmp" and you don't have to worry about the fact
that it's not really really /tmp but somewhere else...

> -- I have tried to call pathinfo() and realpath() on my
> $_FILES['name']['tmp_name'] file before it is moved, but neither gives
> the
> full path to the file

If $_FILES['name']['tmp_name'] does already have the full path,
something is very wrong on your system...

Note that as soon as your upload-receiving script ends, the file is
deleted.

You *have* to use move_uploaded_file() on it in the upload-receiving
script to save the file somewhere else, or it's just gonna go away,
and you ain't gonna see it never again.

> Maybe I should have one of those disclaimers posted on my homepage
> like the
> ones that you see in taxis sometimes: "This driver never carries more
> than
> $20 cash."  -->  "This website never carries anyone's financial
> information."  :)

:-)

While there are obviously people "out there" who will just attack
randomly, (spammers) I honestly believe that a
valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a
much less likely target for an actual human attack.

I have absolutely zero evidence to support that claim, other than one
site that's been wide open to abuse for most of a decade, and only the
mindless spam-bots bother it... :-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread Andy Hultgren 

So I've been trying to figure out where php uploads files to temporarily
store them before I move them to their permanent storage directory, and I'm
having some difficulties:

-- php_info() says the temporary file upload directory is "/tmp" but I don't
know if that's relative to my root directory or what and can't figure out
from the documentation how that path is displayed.
-- I have tried to call pathinfo() and realpath() on my
$_FILES['name']['tmp_name'] file before it is moved, but neither gives the
full path to the file (which I realized after reading the documentation that
neither is supposed to do).  Any ideas on functions that will give the full
path of the inputted file?  I've been searching the php documentation and
general list but to no avail.  On the plus side, I did get to practice
writing information to a text file, so that was fun :)

Thanks for the tips on the chmod requirements for the get_image_size()
function, I'm all about keep permissions as strict as possible at this
point!

Crap, gotta use my brain, huh?  :)  Seriously, thanks for the overview on
how "security" should be approached and for the advice to not take general
security recommendations at face value but to give them some thought, given
my unique situation.  This is really good for me to learn now, while I'm
still implementing my security rather than later when I might have to redo
everything (or might have a gaping hole based on a poor assumption).  At
least I won't be storing anyone's financial information, so I should only be
a target for people who just want to be mean, but not people who want to get
free stuff from others credit info.

Maybe I should have one of those disclaimers posted on my homepage like the
ones that you see in taxis sometimes: "This driver never carries more than
$20 cash."  -->  "This website never carries anyone's financial
information."  :)

Andy


On 9/26/06, Richard Lynch <[EMAIL PROTECTED]> wrote:


On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
> So I tried to implement the example code given in the php tmpfile()
> documentation and it wouldn't do anything, which suggests that I don't
> have
> access to the /tmp directory.  Also, the FAQ's section on my server's
> website say that /tmp is not shared between the servers.  So, looks
> like
> /tmp option is out...

Did they perhaps give you your own "tmp" directory elsewhere?...

Sometimes you just need to poke at it to figure out where your "tmp"
is, and then you can use the PHP functions that let you specify your
own directory, but not the ones that assume that system /tmp is your
"tmp"

My host has a "tmp" dir I can use, but it ain't /tmp, and PHP
routinely tries to use /tmp with some functions.  G.

> So, let me see if I understand the situation I'm looking at here:
>
> The bad side:
> -- I don't have any place to put uploaded files outside of my webtree,
> which
> makes it tough to ensure these files cannot be surfed to once they are
> uploaded, and also means I have to do my security checks while the
> files are
> within my webtree and potentially accessible.  (BAD).

Yes.

Though if file uploads are working at all, looking at the $_FILES
array may give you a clue as to a directory that you maybe *can*
access which is your own private "tmp"...

> -- Any php script on my server (created by me or somehow maliciously
> uploaded) can do whatever it wants within my account because all php
> scripts run as me.  (also BAD).

On the plus side, some of the coding gets real simple, since you are
you, and you are never somebody else. :-)

> The good side:
> -- Uploaded files can be chmod so that nobody can read them, then I
> chmod
> them when I need to use them.  This adds a layer of protection for
> completely uploaded files.  I assume this will not help with files
> while
> they are getting their security checks, since PHP has to be able to
> read and
> execute them in order to run the checks (get_image_size, etc.)?

PHP needs to read them for get_image_size, but not execute.

Use minimum force needed.

If you are flipping the chmod around within your scripts, that reduces
your risk to however long the dir remains in its 0777 (or whatever)
state, which is however long your script takes to process whatever it
has to process in that state.

So long exhaustive checks of the validity of a file are "bad" because
that leaves that window open longer, but they're "good" because the
file is then more likely to be kosher.

> -- Since I'm only allowing image uploads, I can strictly filter which
> files
> are allowed to be uploaded (with extension checks and get_image_size).

Extension check is kinda useless...

I can name any file I want with .jpg and upload it.

get_image_size() is good, as it checks the first N bytes -- But
somebody somewhere can construct a worm with the first N bytes that
LOOK like a valid image, to get_image_size()

A human eyeball check would be even better, as then you *know* that a
much larger number of bytes are a val

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread Richard Lynch 
On Wed, September 27, 2006 10:11 am, tedd wrote:
>>So when you read advice to use 0777 you can immediately change that
>> to
>>0700, because the only access needed is for you, not your group, and
>>not the "world" of other users on that machine.
>
> Excellent point -- thanks.

This applies only to Andy -- or those whose server runs as "themself"

Tedd, whose server runs as "nobody" or some other user, still need
0777 or the FTP hoop-jumping.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread tedd 

At 6:43 PM -0500 9/26/06, Richard Lynch wrote:

On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
 > -- Since I'm only allowing image uploads, I can strictly filter which

 files
 are allowed to be uploaded (with extension checks and get_image_size).


Extension check is kinda useless...

I can name any file I want with .jpg and upload it.

get_image_size() is good, as it checks the first N bytes -- But
somebody somewhere can construct a worm with the first N bytes that
LOOK like a valid image, to get_image_size()

A human eyeball check would be even better, as then you *know* that a
much larger number of bytes are a valid image.

It could still be "image+worm" with the worm tacked on at the end, and
a valid image at the front, which the browser would probably just go
ahead and display as valid image. :-(

The odds of somebody able to construct a valid-looking image whose
exact byte sequence is also a worm are pretty low, but not
impossible... :-)


That's one of the reasons why I resize images I upload -- image files 
are never stored "as-is". I figure that any possible worms contained 
therein will probably be damaged beyond working after a shuffle. 
After all, code is usually sensitive to alteration.



So when you read advice to use 0777 you can immediately change that to
0700, because the only access needed is for you, not your group, and
not the "world" of other users on that machine.


Excellent point -- thanks.

tedd
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-26 Thread Richard Lynch 
On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
> So I tried to implement the example code given in the php tmpfile()
> documentation and it wouldn't do anything, which suggests that I don't
> have
> access to the /tmp directory.  Also, the FAQ's section on my server's
> website say that /tmp is not shared between the servers.  So, looks
> like
> /tmp option is out...

Did they perhaps give you your own "tmp" directory elsewhere?...

Sometimes you just need to poke at it to figure out where your "tmp"
is, and then you can use the PHP functions that let you specify your
own directory, but not the ones that assume that system /tmp is your
"tmp"

My host has a "tmp" dir I can use, but it ain't /tmp, and PHP
routinely tries to use /tmp with some functions.  G.

> So, let me see if I understand the situation I'm looking at here:
>
> The bad side:
> -- I don't have any place to put uploaded files outside of my webtree,
> which
> makes it tough to ensure these files cannot be surfed to once they are
> uploaded, and also means I have to do my security checks while the
> files are
> within my webtree and potentially accessible.  (BAD).

Yes.

Though if file uploads are working at all, looking at the $_FILES
array may give you a clue as to a directory that you maybe *can*
access which is your own private "tmp"...

> -- Any php script on my server (created by me or somehow maliciously
> uploaded) can do whatever it wants within my account because all php
> scripts run as me.  (also BAD).

On the plus side, some of the coding gets real simple, since you are
you, and you are never somebody else. :-)

> The good side:
> -- Uploaded files can be chmod so that nobody can read them, then I
> chmod
> them when I need to use them.  This adds a layer of protection for
> completely uploaded files.  I assume this will not help with files
> while
> they are getting their security checks, since PHP has to be able to
> read and
> execute them in order to run the checks (get_image_size, etc.)?

PHP needs to read them for get_image_size, but not execute.

Use minimum force needed.

If you are flipping the chmod around within your scripts, that reduces
your risk to however long the dir remains in its 0777 (or whatever)
state, which is however long your script takes to process whatever it
has to process in that state.

So long exhaustive checks of the validity of a file are "bad" because
that leaves that window open longer, but they're "good" because the
file is then more likely to be kosher.

> -- Since I'm only allowing image uploads, I can strictly filter which
> files
> are allowed to be uploaded (with extension checks and get_image_size).

Extension check is kinda useless...

I can name any file I want with .jpg and upload it.

get_image_size() is good, as it checks the first N bytes -- But
somebody somewhere can construct a worm with the first N bytes that
LOOK like a valid image, to get_image_size()

A human eyeball check would be even better, as then you *know* that a
much larger number of bytes are a valid image.

It could still be "image+worm" with the worm tacked on at the end, and
a valid image at the front, which the browser would probably just go
ahead and display as valid image. :-(

The odds of somebody able to construct a valid-looking image whose
exact byte sequence is also a worm are pretty low, but not
impossible... :-)

> (Plus
> all the stuff talked about in the PHP Security Guide provided by the
> PHP
> Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well,
> all of
> it that I can implement without having access to a directory outside
> of my
> webtree anyway).

Be careful.

It's entirely possible that *some* of the advice would put you at
higher risk with your setup, if their assumption is the "nobody" user
and a directory outside web-tree.

So just because you *CAN* implement your advice in your situation,
won't mean you should.

You're going to have to examine every little thing on a case-by-case
basis with your Security Hat on firmly -- Which means thinking "If I
was Evil, how would I break this?"

> So, given this situation (if I've got it right), I have two questions:
>
> 1) With the above "as is", am I just asking for anyone to come in and
> tear
> my site apart?  I am not an experienced web developer (obviously), but
> I
> love to read.  Is that enough to build a secure site, or am I just way
> in
> over my head?

There's no such thing as "a secure site"...

A secure site is not an off/on switch.  It's more a gradient from
horrible to very strong.

And the act of building a Secure site is not even just a question of
following all the "rules" in http://phpsec.org and so on.

It's a thought process, a living breathing intelligent human actually
*thinking* about what they are doing, and what the Risks are, and what
the Benefits are, and trying to consider every possible angle of every
decision.

Are you building an e-commerce site, right out of the gate, on a
server configured li

Re: [PHP] File Upload Security and chmod

2006-09-26 Thread Richard Lynch 
The FTP will be slower, almost for sure.

He's doing it because he can FTP in as himself, and not as the
"nobody" user Apache runs as.

Your webhost has you running as yourself already, so you can chmod
your files at will in PHP.

On Mon, September 25, 2006 2:11 pm, Andy Hultgren wrote:
> Tedd,
>
> Thanks so much your thorough response - it's good to know that I'm not
> the
> only one trying to figure this out!  I'm curious, in your code you use
> the
> PHP ftp functions, but I have used the PHP functions chmod() and
> mkdir()
> without establishing an ftp connection.  Is it faster to establish an
> ftp
> connection within PHP and then use the ftp series of functions to
> accomplish
> all of the directory creation and permissions changes?  If so, then I
> will
> probably change my code to follow yours.
>
> Andy
>
>
> On 9/25/06, tedd <[EMAIL PROTECTED]> wrote:
>>
>> At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
>> >Hi Tedd,
>> >
>> >Yes, when I browse to www.myDomain.com I get the index.html file,
>> and so
>> I
>> >have been leaving the .public_html/ directory alone since it is not
>> my
>> >root.  I'm curious, what you described is exactly what I'm trying
>> to do -
>> >what permissions do you set the parent folder at when you are
>> finished
>> >uploading/saving/downloading/etc.?  I have my "uploaded_images/"
>> >directory set at chmod 0100 and I can still browse to an uploaded
>> image
>> from
>> >my file upload page...  Thanks for your response,
>>
>>
>> Andy:
>>
>> I ran into the same problem trying to work with, and understand,
>> permissions on a virtual host. When I asked this gang about
>> permissions some time back, I received answers that ranged from RTFM
>> to calling me stupid for using 0777, but none answered my question.
>> No fault of the gang, I probably didn't ask the question correctly.
>> In any event, I felt too stupid to ask the question again, so I went
>> elsewhere looking for answers and eventually found something that
>> works for me.
>>
>> Some consider me a novice, so I'll ask the gang to overview my
>> comments to make sure that I'm not guiding you down the wrong path.
>>
>> As you know, the key to setting the permissions of a file depends
>> upon the permissions the parent folder. If the parent folder
>> permission is set to 0777, then we can change any files inside the
>> folder as we want. However, that also presents a major security hole
>> because then anyone can use that folder to upload and run evil code.
>>
>> So, the key problem is how to alter parent folder permissions.
>>
>> With virtual hosting, we can upload, manage, and set permissions as
>> we want via our FTP connection software. So, I thought perhaps php
>> had something like that and as such I discovered how to ftp connect
>> via php.
>>
>> Now, not all php ftp_ are available to php 4, but you can
>> connect to your site and change permissions of folders, which is
>> what
>> we actually need. So, if you want to do something with a file: then
>> change the folder permissions of the folder that holds it; do
>> whatever you want with the file; and then change the folder
>> permissions back to something safe.
>>
>> You can also create new folders if you want using the command
>> ftp_mkdir().
>>
>> Note, the beginning of the ftp_paths are different than url paths we
>> would normally use to locate a file. For example:
>>
>> An example web path:
>>
>> http://www.yourdomain.com/rw/tmp/text.txt
>>
>> An example symbolic link:
>>
>> public_html/rw/tmp/text.txt
>>
>> The following code will show you an example of how this works. Just
>> put in your own domain, user id, password, and correct paths and try
>> it out. Change the permissions in the code and watch how the file
>> permissions change.
>>
>> Please let me know if this works for you -- watch for line breaks.
>>
>> hth's
>>
>> tedd
>>
>> PS: I don't know what to say about your ".public_html/" directory,
>> but I would just leave it alone.
>>
>> ---
>>
>> // how to call the function
>>
>> >
>> $ftp_path = "public_html/rw/";  // note the ftp path
>> $theDir = "tmp";
>> $theFile ="text.txt";
>> FtpPerms($ftp_path, $theDir, $theFile);
>> ?>
>>
>>
>> // the function
>>
>> > // create directory and change permissions via FTP connection
>>
>> function FtpPerms($path, $theDir, $theFile)
>> {
>>
>> $server='ftp.yourdomain.com'; // ftp server
>> $connection = ftp_connect($server); // connection
>>
>> $user = "you";
>> $pass = "yourpassword";
>> $result = ftp_login($connection, $user, $pass); // login to ftp
>> server
>>
>> if ((!$connection) || (!$result))
>> {
>> echo("No connection");
>> return false;
>> exit();
>> }
>> else
>> {
>> echo("Made connection");
>> ftp_chdir($connection, $path); // go to destination dir
>>
>> echo("Change permission");
>> $str="CHMOD 0755 " . $theDir; // change permissions for dir (note
>> the
>> space after 0775 )
>> ftp_site($connection, $str);
>> echo("$str");
>>
>> $filename = "$theDir/$theFile";
>> $contents = "This is the contents of

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread Andy Hultgren 

Hey Tedd and Eric,

Between the two of you and Richard Lynch's last post, I understand why I can
use chmod() and mkdir() within php without having to use the ftp commands: I
run on a server that is configured to run my php scripts as "username" (ie.
me!) instead of as "nobody" (which is much more common).  So my php scripts
have powers which they probably shouldn't have.  So, Tedd, you don't have to
go back to the manual it looks like you are exactly right, I'm just on a
goofy server which is the exception to the rule (for better or for worse).

I really appreciate you guys jumping in a giving me a hand.  Hopefully I get
good enough at this that I can return the favor sometime!!!

Andy


On 9/25/06, Eric Butera <[EMAIL PROTECTED]> wrote:


On 9/25/06, Andy Hultgren <[EMAIL PROTECTED]> wrote:
>
> Tedd,
>
> Thanks so much your thorough response - it's good to know that I'm not
> the
> only one trying to figure this out!  I'm curious, in your code you use
> the
> PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
>
> without establishing an ftp connection.  Is it faster to establish an
> ftp
> connection within PHP and then use the ftp series of functions to
> accomplish
> all of the directory creation and permissions changes?  If so, then I
> will
> probably change my code to follow yours.
>
> Andy


By using FTP you can specify which user account you want the connection to
be established at.  When running a PHP script the script will be running by
the Apache server, which means it will have specific permission levels which
cannot create directories or chmod unless Apache owns the parent directory.
That is why Tedd went through all that trouble.

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread Andy Hultgren 

Well, that didn't sound too good...

So I tried to implement the example code given in the php tmpfile()
documentation and it wouldn't do anything, which suggests that I don't have
access to the /tmp directory.  Also, the FAQ's section on my server's
website say that /tmp is not shared between the servers.  So, looks like
/tmp option is out...

So, let me see if I understand the situation I'm looking at here:

The bad side:
-- I don't have any place to put uploaded files outside of my webtree, which
makes it tough to ensure these files cannot be surfed to once they are
uploaded, and also means I have to do my security checks while the files are
within my webtree and potentially accessible.  (BAD).
-- Any php script on my server (created by me or somehow maliciously
uploaded) can do whatever it wants within my account because all php
scripts run as me.  (also BAD).

The good side:
-- Uploaded files can be chmod so that nobody can read them, then I chmod
them when I need to use them.  This adds a layer of protection for
completely uploaded files.  I assume this will not help with files while
they are getting their security checks, since PHP has to be able to read and
execute them in order to run the checks (get_image_size, etc.)?
-- Since I'm only allowing image uploads, I can strictly filter which files
are allowed to be uploaded (with extension checks and get_image_size). (Plus
all the stuff talked about in the PHP Security Guide provided by the PHP
Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well, all of
it that I can implement without having access to a directory outside of my
webtree anyway).

So, given this situation (if I've got it right), I have two questions:

1) With the above "as is", am I just asking for anyone to come in and tear
my site apart?  I am not an experienced web developer (obviously), but I
love to read.  Is that enough to build a secure site, or am I just way in
over my head?
2) Imaging that I can convince my host to rebuild my site so that I have
access to directories outside of my webtree and can check and save uploaded
files there, does that make the situation substantially better?  Or is the
"PHP running as me" thing enough alone to raise some serious serious
problems (perhaps less around the image uploading but more around a login
page or something)?

As always, thank you so much for your help.

Andy

On 9/25/06, Richard Lynch <[EMAIL PROTECTED]> wrote:


On Sun, September 24, 2006 11:04 pm, Andy Hultgren wrote:
> I really appreciate your help with this.
>
> To answer your first question: when people surf to my site they see
> the
> stuff "next to" (outside) .public_html/, not anything within
> .public_html/.
> (Thanks by the way for explaining the .dirName invisibility thing,
> that's
> one confusing thing not to worry about anymore!)

Hmmm.

Okay, so you definitely do not have any space outside the webtree.

That's bad.

Anything you upload is stuck being available to the public, to some
degree. :-(

You *may* be able to utilize /tmp

See if you can write a short little script with http://php.net/tmpfile

This will give you and idea if you can stash things in /tmp, at least
until you can confirm that they are not Evil.

> To answer your second question: the "uploadedFiles/" directory is
> 0100, but
> not the file.  The uploaded file itself is 0640.

So your login is allowed to read files within the directory, but not
to list what's in the directory.

Your login and your group can read the file itself.

Your login can write the file as well.

See next question/answer.

> Third question: it runs as the same username I use to login to my
> server's
> ftp site.  This information wasn't in the output of the phpinfo()
> function
> (that I could find).  I did some searching on php.net and found this
> entry
> under the get_current_user() function (
> http://us3.php.net/manual/en/function.get-current-user.php, top user
> contributed note):
> **
> *to get the username of the process owner (rather than the file
> owner), you
> can use:
> ** $processUser = posix_getpwuid(posix_geteuid**());
> print $processUser['name'**];
> ?> *
> **
> I used this code to find out the user PHP runs as.  Is that what you
> were
> looking for?

Yes.

And since PHP runs as "you" with your login, it can do everything
listed above.

So you probably cannot surf to the DIRECTORY and get a listing (even
if DirectoryIndex is on) but if you know the name of the file in
advance, you can surf to it.

So if you want to make a file not readable, you have to chmod it so
that *YOU* cannot read it.

This will be a PITA because then you'll need to chmod it back any time
you want to mess with it.

As the owner of a file, you are allowed to chmod it so that you
yourself cannot read it -- kind of like locking it away in a safe --
and then you have to chmod it back to readable (open the safe) to read
it.

You still "own" the file, so you can always chmod it anywhich way you
want, at any time.

Running your

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread tedd 

Andy:

It was never a question of speed for me -- it was a question of being 
able to change file permissions from within a php script so that I 
could create and write files safely.


You see, I am *not* able to use chmod() within a php script at all 
regardless of what permissions the file and parent folder have -- 
even when both are set to 0777. To do any permissions changing from 
within a php script I am forced to resort to a ftp connection as I 
previously described.


I can't even create a file, nor open a file for writing, without the 
parent folder having 0777 permissions. The only option I had was to 
set parent folders to 0777 and leave them that way, and I wasn't 
going to do that for security reasons.


Now, perhaps something is wrong with my server (or me) -- but -- I 
have more than one server and the same tests held true for all of 
them.


So, if you can chmod() and mkdir() from within your php script 
without establishing an ftp connection, then more power to you, 
because I can't. And that's the reason I use ftp_login. I thought 
that you had the same problem.


Now, perhaps I should RTFM again -- but -- I have read it and I have 
not found another method that works to change permissions other than 
to use ftp_logon.


I suspect that this problem may be pretty obvious to the gang, but I 
don't know if anyone cares to comment. Comments?


tedd

---

At 1:11 PM -0600 9/25/06, Andy Hultgren wrote:

Tedd,

Thanks so much your thorough response - it's good to know that I'm 
not the only one trying to figure this out!  I'm curious, in your 
code you use the PHP ftp functions, but I have used the 
PHP functions chmod() and mkdir() without establishing an ftp 
connection.  Is it faster to establish an ftp connection within PHP 
and then use the ftp series of functions to accomplish all of the 
directory creation and permissions changes?  If so, then I will 
probably change my code to follow yours.


Andy


On 9/25/06, tedd <[EMAIL PROTECTED]> wrote:

At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:

Hi Tedd,

Yes, when I browse to  www.myDomain.com I 
get the index.html file, and so I

have been leaving the .public_html/ directory alone since it is not my
root.  I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.?  I have my "uploaded_images/"
directory set at chmod 0100 and I can still browse to an uploaded image from
my file upload page...  Thanks for your response,



Andy:

I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.

Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.

As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.

So, the key problem is how to alter parent folder permissions.

With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.

Now, not all php ftp_ are available to php 4, but you can
connect to your site and change permissions of folders, which is what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.

You can also create new folders if you want using the command ftp_mkdir().

Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:

An example web path:

http://www.yourdomain.com/rw/tmp/text.txt

An example symbolic link:

public_html/rw/tmp/text.txt

The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.

Please let me know if this works for you -- watch for line breaks.

hth's

tedd

PS: I don't know what to say about your ".public_html/" directory,
but I would just leave it alone.

---

// how to call the function




// the function

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread Eric Butera 

On 9/25/06, Andy Hultgren <[EMAIL PROTECTED]> wrote:


Tedd,

Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out!  I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without establishing an ftp connection.  Is it faster to establish an ftp
connection within PHP and then use the ftp series of functions to
accomplish
all of the directory creation and permissions changes?  If so, then I will
probably change my code to follow yours.

Andy



By using FTP you can specify which user account you want the connection to
be established at.  When running a PHP script the script will be running by
the Apache server, which means it will have specific permission levels which
cannot create directories or chmod unless Apache owns the parent directory.
That is why Tedd went through all that trouble.

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread Andy Hultgren 

Tedd,

Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out!  I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without establishing an ftp connection.  Is it faster to establish an ftp
connection within PHP and then use the ftp series of functions to accomplish
all of the directory creation and permissions changes?  If so, then I will
probably change my code to follow yours.

Andy


On 9/25/06, tedd <[EMAIL PROTECTED]> wrote:


At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
>Hi Tedd,
>
>Yes, when I browse to www.myDomain.com I get the index.html file, and so
I
>have been leaving the .public_html/ directory alone since it is not my
>root.  I'm curious, what you described is exactly what I'm trying to do -
>what permissions do you set the parent folder at when you are finished
>uploading/saving/downloading/etc.?  I have my "uploaded_images/"
>directory set at chmod 0100 and I can still browse to an uploaded image
from
>my file upload page...  Thanks for your response,


Andy:

I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.

Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.

As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.

So, the key problem is how to alter parent folder permissions.

With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.

Now, not all php ftp_ are available to php 4, but you can
connect to your site and change permissions of folders, which is what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.

You can also create new folders if you want using the command ftp_mkdir().

Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:

An example web path:

http://www.yourdomain.com/rw/tmp/text.txt

An example symbolic link:

public_html/rw/tmp/text.txt

The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.

Please let me know if this works for you -- watch for line breaks.

hth's

tedd

PS: I don't know what to say about your ".public_html/" directory,
but I would just leave it alone.

---

// how to call the function




// the function

");
return false;
exit();
}
else
{
echo("Made connection");
ftp_chdir($connection, $path); // go to destination dir

echo("Change permission");
$str="CHMOD 0755 " . $theDir; // change permissions for dir (note the
space after 0775 )
ftp_site($connection, $str);
echo("$str");

$filename = "$theDir/$theFile";
$contents = "This is the contents of the file.";

echo("Writing file ");

$file = fopen( $filename, "w" );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);

echo("Change permission");
$str="CHMOD 0600 " . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo("$str");


echo("Close connection");
ftp_close($connection); // close connection
}

}
?>
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread tedd 

At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:

Hi Tedd,

Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root.  I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.?  I have my "uploaded_images/"
directory set at chmod 0100 and I can still browse to an uploaded image from
my file upload page...  Thanks for your response,



Andy:

I ran into the same problem trying to work with, and understand, 
permissions on a virtual host. When I asked this gang about 
permissions some time back, I received answers that ranged from RTFM 
to calling me stupid for using 0777, but none answered my question. 
No fault of the gang, I probably didn't ask the question correctly. 
In any event, I felt too stupid to ask the question again, so I went 
elsewhere looking for answers and eventually found something that 
works for me.


Some consider me a novice, so I'll ask the gang to overview my 
comments to make sure that I'm not guiding you down the wrong path.


As you know, the key to setting the permissions of a file depends 
upon the permissions the parent folder. If the parent folder 
permission is set to 0777, then we can change any files inside the 
folder as we want. However, that also presents a major security hole 
because then anyone can use that folder to upload and run evil code.


So, the key problem is how to alter parent folder permissions.

With virtual hosting, we can upload, manage, and set permissions as 
we want via our FTP connection software. So, I thought perhaps php 
had something like that and as such I discovered how to ftp connect 
via php.


Now, not all php ftp_ are available to php 4, but you can 
connect to your site and change permissions of folders, which is what 
we actually need. So, if you want to do something with a file: then 
change the folder permissions of the folder that holds it; do 
whatever you want with the file; and then change the folder 
permissions back to something safe.


You can also create new folders if you want using the command ftp_mkdir().

Note, the beginning of the ftp_paths are different than url paths we 
would normally use to locate a file. For example:


An example web path:

http://www.yourdomain.com/rw/tmp/text.txt

An example symbolic link:

public_html/rw/tmp/text.txt

The following code will show you an example of how this works. Just 
put in your own domain, user id, password, and correct paths and try 
it out. Change the permissions in the code and watch how the file 
permissions change.


Please let me know if this works for you -- watch for line breaks.

hth's

tedd

PS: I don't know what to say about your ".public_html/" directory, 
but I would just leave it alone.


---

// how to call the function




// the function

");
return false;
exit();
}
else
{
echo("Made connection");
ftp_chdir($connection, $path); // go to destination dir

echo("Change permission");
$str="CHMOD 0755 " . $theDir; // change permissions for dir (note the 
space after 0775 )

ftp_site($connection, $str);
echo("$str");

$filename = "$theDir/$theFile";
$contents = "This is the contents of the file.";

echo("Writing file ");

$file = fopen( $filename, "w" );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);

echo("Change permission");
$str="CHMOD 0600 " . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo("$str");


echo("Close connection");
ftp_close($connection); // close connection
}

}
?>
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-24 Thread Andy Hultgren 

Hi Tedd,

Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root.  I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.?  I have my "uploaded_images/"
directory set at chmod 0100 and I can still browse to an uploaded image from
my file upload page...  Thanks for your response,

Andy


On 9/23/06, tedd <[EMAIL PROTECTED]> wrote:


At 7:19 PM -0600 9/22/06, Andy Hultgren wrote:
>For whatever reason when I ftp in using WinFtp I don't see public_html
>(it's hidden, don't know why; if I make a directory called
>".public_html" it gets created and then disappears), but I can see my
>file structure from my host's website and so I know that when I ftp in
>to myDomain.com this is what is "there":
>
>index.htm
>page1.htm
>page2.htm
>.public_html/
>images/
>etc. etc.

Andy:

Sorry, I didn't catch all of the thread, but this is my drift.

When you access your site (http://yourdomain.com) via a browser, do
you see the above index.htm?

If so, and you want to stay with that host, then leave the
.public_html/ folder alone, and build your site using WinFTP, or
whatever.

If you want to change permissions for a file from within a php
script, then ftp into your site (using ftp_login), change the parent
folder permissions, do your file thing (upload, delete, save, etc.),
and then change the parent folder permissions back and it's done.

At least that's the way I do it working on a shared host and it works for
me.

tedd

--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

Re: [PHP] File Upload Security and chmod

2006-09-23 Thread tedd 

At 7:19 PM -0600 9/22/06, Andy Hultgren wrote:

For whatever reason when I ftp in using WinFtp I don't see public_html
(it's hidden, don't know why; if I make a directory called
".public_html" it gets created and then disappears), but I can see my
file structure from my host's website and so I know that when I ftp in
to myDomain.com this is what is "there":

index.htm
page1.htm
page2.htm
.public_html/
images/
etc. etc.


Andy:

Sorry, I didn't catch all of the thread, but this is my drift.

When you access your site (http://yourdomain.com) via a browser, do 
you see the above index.htm?


If so, and you want to stay with that host, then leave the 
.public_html/ folder alone, and build your site using WinFTP, or 
whatever.


If you want to change permissions for a file from within a php 
script, then ftp into your site (using ftp_login), change the parent 
folder permissions, do your file thing (upload, delete, save, etc.), 
and then change the parent folder permissions back and it's done.


At least that's the way I do it working on a shared host and it works for me.

tedd

--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-23 Thread Børge Holen 
On Saturday 23 September 2006 01:27, you wrote:
> Hi Borge,
>
> host/users/myDomain is the actual directory (and it's the root
> directory), and I do not have access to higher directories.  So
> basically I do not have access to directories higher than my root
> directory, which is unfortunate.  Also, the way the server is setup
> that I am on, I do not have access to the server's tmp file (it is not
> shared), I have my own tmp file in my root directory that I use.  I
> don't know of any other system-wide read/write directory available
> either.  I'd be putting a lot of data there too (customer uploaded
> images) so I really should save them somewhere in my directory and not
> in the common server space.
>
> You can start to see my bind... :(  Any thoughts greatly appreciated!
>
> Andy

Sounds like cheap b-one hosting of sorts...
thoughts? yes dont use it... Yer site will probably quickly become a playing 
ground for other than yerself. A file have to stay inside a quarantined area 
for a sanity check before let loose on the system.
Probably the cache of the browser ... for the I can see the page stuff. dunno.

But as I said: Change yer hosting, to something useable and safe.

>
> On 9/22/06, Børge Holen <[EMAIL PROTECTED]> wrote:
> > On Friday 22 September 2006 22:58, Andy Hultgren wrote:
> > > Hi,
> > > I am relatively new to php and am trying to set up a file upload
> > > process for my website.  I have read through the php security
> > > documentation and a number of the security-related questions on these
> > > lists and am attempting to implement as many of the measures as
> > > possible.
> > > One of the suggestions I have read is to have the uploaded files saved
> > > somewhere outside of your root directory.  Unfortunately I cannot do
> > > that as my root directory is simply www.myDomain.com and not
> > > ".public_html/" and I am on a shared server where my root cannot be
> > > changed (I have already asked).  So, I am trying to keep the
> > > permissions on my "saved_files" folder as tight as possible except
> > > when the actual upload occurs.  I this as follows:
> > >
> > > 1) The actual file upload comes through Flash8, and when the user
> > > uploads a file it is sent to
> > > www.domain.com/flash8directory/upload.php, which is in the same
> > > directory as the Flash8 upload application.
> > > 2) upload.php first chmod 0740 the "saved_files" folder (which is
> > > located at www.domain.com/flash8directory/saved_files/).  Then it does
> > > security checks to make sure an appropriate image has been uploaded,
> > > and if everything looks good it moves the uploaded file to
> > > "saved_files".
> > > 3) The Flash8 upload application is notified of the completion of the
> > > upload and downloads the new image it its viewer.
> > > 4) Once the download is complete and Flash8 no longer needs to work
> > > with the file, the Flash8 application notifies a separate php script
> > > by sending the variable "complete=1" to lockdown.php (located at
> > > www.domain.com/flash8directory/lockdown.php), which runs the following
> > > simple script:
> > >
> > >  > >
> > > $success = 0;
> > > $complete = $_POST['complete'];
> > >
> > > if ($complete==1) {
> > >   if(chmod("./saved_files", 0100)) {
> > >  success = yes;
> > >   echo "success=yes";
> > >   }
> > > }
> > > ?>
> > >
> > > This script works and "saved_files" is set to chmod 0100, but here is
> > > the problem.  If I then navigate directly to the url of the uploaded
> > > file by entering its path in my
> > > browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
> > > the uploaded file appears in my browser!  However, if I then refresh
> > > the browser I get the desired error message saying I do not have
> > > permission to access that file.  Also, other browser windows never
> > > have access to view the uploaded file, only the browser from which the
> > > file was uploaded.
> > >
> > > Any thoughts on why I can view the uploaded file even though it has
> > > been set to chmod 0100?  I'd really rather not have those files
> > > accessible to anyone, as an extra security layer.
> > >
> > > Thank you for your help!
> > >
> > > Andy
> >
> > I don't quite understand why you cannot save to another catalog.
> > is  www.myDomain.com yer actual directory name of merely the domain?
> > If either, login to yer domain and simply go either one step up, is that
> > possible?
> > You can also make use of a .htaccess file inside a sub directory to keep
> > others from it till you have checked the file, then move it out in the
> > open or delete after specifications.
> >
> > Do you have access to /tmp ? That one is possible to use, in fact any
> > system wide directory writable by any/you is usable.
> >
> > --
> > ---
> > Børge
> > Kennel Arivene
> > http://www.arivene.net
> > ---
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php

--

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Andy Hultgren 

For whatever reason when I ftp in using WinFtp I don't see public_html
(it's hidden, don't know why; if I make a directory called
".public_html" it gets created and then disappears), but I can see my
file structure from my host's website and so I know that when I ftp in
to myDomain.com this is what is "there":

index.htm
page1.htm
page2.htm
.public_html/
images/
etc. etc.

Currently nothing is stored in my .public_html directory since it is
not my root (and my website loads just fine when browsed to).

I don't ftp in from DreamWeaver and it isn't an issue of going
straight to public_html just to skip the cd step.  public_html just
isn't set up as my root directory and I have no directories accessable
that are higher than my root.

So, since I have no access to directories outside of my root, do you
really think I should change that before allowing file uploads?
(either by changing servers or just bugging my server adminstrator
until he changes it).  I currently check extension type and then image
type using get_image_size(); and also files with image extensions are
not executable on the server.  However, from what I've read I
understand that those steps are the minimum in terms of file upload
security.

Also, I'd be curious still to hear why I can browse to a file in a
directory that has been set with chmod 0100.  I really didn't expect
that.

Thanks again very much for your thoughts,

Andy


On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote:



I may have hit "send" too soon...

Like, when you do FTP, do you see:

index.htm
page2.htm
page3.htm

right away?

*OR*, do you see:
public_html

And then you do "cd public_html" and THEN you see the files?

If you don't do "cd public_html" then I really don't think accepting
file uploads is a Good Idea, unless you have access to /tmp or
something to put the files in...

If you do "cd public_html" then you actually HAVE space outside your
webtree.  Just do "mkdir uploads" and "chmod 777 uploads" *BEFORE* you
do "cd public_html" and you'll have an uploads dir outside the webtree
where you can put stuff.

NOTE:
Some fancy FTP tools like DreamWeaver and whatnot will convince you to
put "public_html" into some input box somewhere, to give you the
convenience of not needing to "cd public_html" -- which then means you
never *SEE* that you have space outside your webtree...  Stop doing
that.  An extra click or whatever to get into public_html is not that
big of a deal.

On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote:
> So pretty much there's nothing to be done about it?  If I can get the
> chmod thing to make it so that you can't surf to your uploaded image
> afterwards and view it, I'd be happy with that solution.  I'd like to
> stick with this host if I could.
>
> On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
>> On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
>> > that as my root directory is simply www.myDomain.com and not
>> > ".public_html/" and I am on a shared server where my root cannot
>> be
>>
>> I got two words for you:
>>
>> Change Hosts
>>
>> --
>> Like Music?
>> http://l-i-e.com/artists.htm
>>
>>
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


--
Like Music?
http://l-i-e.com/artists.htm





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Richard Lynch 


I may have hit "send" too soon...

Like, when you do FTP, do you see:

index.htm
page2.htm
page3.htm

right away?

*OR*, do you see:
public_html

And then you do "cd public_html" and THEN you see the files?

If you don't do "cd public_html" then I really don't think accepting
file uploads is a Good Idea, unless you have access to /tmp or
something to put the files in...

If you do "cd public_html" then you actually HAVE space outside your
webtree.  Just do "mkdir uploads" and "chmod 777 uploads" *BEFORE* you
do "cd public_html" and you'll have an uploads dir outside the webtree
where you can put stuff.

NOTE:
Some fancy FTP tools like DreamWeaver and whatnot will convince you to
put "public_html" into some input box somewhere, to give you the
convenience of not needing to "cd public_html" -- which then means you
never *SEE* that you have space outside your webtree...  Stop doing
that.  An extra click or whatever to get into public_html is not that
big of a deal.

On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote:
> So pretty much there's nothing to be done about it?  If I can get the
> chmod thing to make it so that you can't surf to your uploaded image
> afterwards and view it, I'd be happy with that solution.  I'd like to
> stick with this host if I could.
>
> On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
>> On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
>> > that as my root directory is simply www.myDomain.com and not
>> > ".public_html/" and I am on a shared server where my root cannot
>> be
>>
>> I got two words for you:
>>
>> Change Hosts
>>
>> --
>> Like Music?
>> http://l-i-e.com/artists.htm
>>
>>
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Andy Hultgren 

So pretty much there's nothing to be done about it?  If I can get the
chmod thing to make it so that you can't surf to your uploaded image
afterwards and view it, I'd be happy with that solution.  I'd like to
stick with this host if I could.

On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote:

On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
> that as my root directory is simply www.myDomain.com and not
> ".public_html/" and I am on a shared server where my root cannot be

I got two words for you:

Change Hosts

--
Like Music?
http://l-i-e.com/artists.htm





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Richard Lynch 
On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
> that as my root directory is simply www.myDomain.com and not
> ".public_html/" and I am on a shared server where my root cannot be

I got two words for you:

Change Hosts

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Børge Holen 
On Friday 22 September 2006 22:58, Andy Hultgren wrote:
> Hi,
> I am relatively new to php and am trying to set up a file upload
> process for my website.  I have read through the php security
> documentation and a number of the security-related questions on these
> lists and am attempting to implement as many of the measures as
> possible.
> One of the suggestions I have read is to have the uploaded files saved
> somewhere outside of your root directory.  Unfortunately I cannot do
> that as my root directory is simply www.myDomain.com and not
> ".public_html/" and I am on a shared server where my root cannot be
> changed (I have already asked).  So, I am trying to keep the
> permissions on my "saved_files" folder as tight as possible except
> when the actual upload occurs.  I this as follows:
>
> 1) The actual file upload comes through Flash8, and when the user
> uploads a file it is sent to
> www.domain.com/flash8directory/upload.php, which is in the same
> directory as the Flash8 upload application.
> 2) upload.php first chmod 0740 the "saved_files" folder (which is
> located at www.domain.com/flash8directory/saved_files/).  Then it does
> security checks to make sure an appropriate image has been uploaded,
> and if everything looks good it moves the uploaded file to
> "saved_files".
> 3) The Flash8 upload application is notified of the completion of the
> upload and downloads the new image it its viewer.
> 4) Once the download is complete and Flash8 no longer needs to work
> with the file, the Flash8 application notifies a separate php script
> by sending the variable "complete=1" to lockdown.php (located at
> www.domain.com/flash8directory/lockdown.php), which runs the following
> simple script:
>
> 
> $success = 0;
> $complete = $_POST['complete'];
>
> if ($complete==1) {
>   if(chmod("./saved_files", 0100)) {
>  success = yes;
>   echo "success=yes";
>   }
> }
> ?>
>
> This script works and "saved_files" is set to chmod 0100, but here is
> the problem.  If I then navigate directly to the url of the uploaded
> file by entering its path in my
> browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
> the uploaded file appears in my browser!  However, if I then refresh
> the browser I get the desired error message saying I do not have
> permission to access that file.  Also, other browser windows never
> have access to view the uploaded file, only the browser from which the
> file was uploaded.
>
> Any thoughts on why I can view the uploaded file even though it has
> been set to chmod 0100?  I'd really rather not have those files
> accessible to anyone, as an extra security layer.
>
> Thank you for your help!
>
> Andy

I don't quite understand why you cannot save to another catalog.
is  www.myDomain.com yer actual directory name of merely the domain?
If either, login to yer domain and simply go either one step up, is that 
possible? 
You can also make use of a .htaccess file inside a sub directory to keep 
others from it till you have checked the file, then move it out in the open 
or delete after specifications.

Do you have access to /tmp ? That one is possible to use, in fact any system 
wide directory writable by any/you is usable.

-- 
---
Børge
Kennel Arivene 
http://www.arivene.net
---

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] File Upload Security and chmod

2006-09-22 Thread Andy Hultgren 

Hi,
I am relatively new to php and am trying to set up a file upload
process for my website.  I have read through the php security
documentation and a number of the security-related questions on these
lists and am attempting to implement as many of the measures as
possible.
One of the suggestions I have read is to have the uploaded files saved
somewhere outside of your root directory.  Unfortunately I cannot do
that as my root directory is simply www.myDomain.com and not
".public_html/" and I am on a shared server where my root cannot be
changed (I have already asked).  So, I am trying to keep the
permissions on my "saved_files" folder as tight as possible except
when the actual upload occurs.  I this as follows:

1) The actual file upload comes through Flash8, and when the user
uploads a file it is sent to
www.domain.com/flash8directory/upload.php, which is in the same
directory as the Flash8 upload application.
2) upload.php first chmod 0740 the "saved_files" folder (which is
located at www.domain.com/flash8directory/saved_files/).  Then it does
security checks to make sure an appropriate image has been uploaded,
and if everything looks good it moves the uploaded file to
"saved_files".
3) The Flash8 upload application is notified of the completion of the
upload and downloads the new image it its viewer.
4) Once the download is complete and Flash8 no longer needs to work
with the file, the Flash8 application notifies a separate php script
by sending the variable "complete=1" to lockdown.php (located at
www.domain.com/flash8directory/lockdown.php), which runs the following
simple script:



This script works and "saved_files" is set to chmod 0100, but here is
the problem.  If I then navigate directly to the url of the uploaded
file by entering its path in my
browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
the uploaded file appears in my browser!  However, if I then refresh
the browser I get the desired error message saying I do not have
permission to access that file.  Also, other browser windows never
have access to view the uploaded file, only the browser from which the
file was uploaded.

Any thoughts on why I can view the uploaded file even though it has
been set to chmod 0100?  I'd really rather not have those files
accessible to anyone, as an extra security layer.

Thank you for your help!

Andy

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File upload security

2003-01-23 Thread peter a 

Files in web folders should usually be 755
  /peter a



At 2003-01-23 11:15, Marco Alting wrote:
>Hi, I have a php script which uploads file to a webserver. The idea is that
>anyone can upload files, but only another php script can read the files. At
>this moment I think someone is deleting file from my upload folder. What
>CHMOD settings do I need to secure this?
>
>
>
>-- 
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] File upload security

2003-01-23 Thread Marco Alting 
Hi, I have a php script which uploads file to a webserver. The idea is that
anyone can upload files, but only another php script can read the files. At
this moment I think someone is deleting file from my upload folder. What
CHMOD settings do I need to secure this?



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php