Re: Making Dir writable by WordPress

2012-08-09 Thread Eric Cope 
Not sure of the other security issues, but you can run suPHP which runs PHP
as a normal user, which then you can assign tight permissions...

Eric

On Thu, Aug 9, 2012 at 8:48 PM, Lisa Kachold wrote:

> Postscript:
>
> You can use HTEXPLOIT to bypass any .htaccess permissions:
>
> HTExploit is an open-source tool written in Python that exploits a
> weakness in the way that htaccess files can be configured to protect a web
> directory with an authentication process. By using this tool anyone would
> be able to list the contents of a directory protected this way, bypassing
> the authentication process.
>
>
> http://www.blackhat.com/usa/bh-us-12-briefings.html#Soler
>
> On Wed, Aug 8, 2012 at 6:18 PM, Lisa Kachold wrote:
>
>> Hi Keith,
>>
>>
>> On Wed, Aug 8, 2012 at 11:50 AM, keith smith wrote:
>>
>>>
>>> Hi,
>>>
>>> I need to make a directory writable so WordPress can upload images to
>>> the directory.  I'm thinking I need to change the group ownership of the
>>> directory to Apache with the user remaining the same.  In the past I've
>>> change the group and ownership to Apache and was blocked from FTP access
>>> after that.
>>>
>>> Any security issues I need to be aware of?  Other approaches?
>>>
>>> Any advice is much welcomed!!  Thank you for your help!!
>>>
>>> 
>>> Keith Smith
>>>
>>
>> Known Issue:  Wordpress asks for a directory location: you set it up as
>> 755 and it won't work.
>>
>> Wordpress works, of course, from PHP and Apache.  So in order to allow
>> for Apache ftp you would need to make it writable by Apache and other.
>> If you change the group writable permissions your ftp breaks (so don't do
>> that!):
>>
>> Here's more on it:
>> http://wordpress.org/support/topic/advanced-problem-image-upload
>>
>> http://wordpress.org/support/topic/151290
>>
>> Solution:
>>
>> You need to use "chmod 777" for uploads to work.
>>
>> Security Issues:
>>
>> This is a security risk of course, since there are many spider scrapers
>> looking for an open permission directory to be able to write, say a fake
>> Phishing Site page for UPS with an email results script.
>>
>> Solution: (from Wordpress documentation):
>>
>> Base image directory
>>
>> The base image directory must be world writable i.e.: chmod 777
>> Base image URL
>>
>> The URL to the base image directory, the web browser needs to be able to
>> see it.
>>
>> Note that the directory can be protected via .htaccess on apache; check
>> your web server documentation for further information on directory
>> protection. If this directory has to be publicly accessible, remove
>> scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We
>> only want to store images in this directory and its subdirectories.
>>
>> On apache you can create the following .htaccess file in your base image
>> directory:
>>
>> 
>> order deny allow
>> deny from all
>>  
>>
>>
>>
>> --
>> (503) 754-4452 Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> Safeway.com
>> Automation Engineer
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> Safeway.com
> Automation Engineer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Re: Making Dir writable by WordPress

2012-08-09 Thread Lisa Kachold 
Postscript:

You can use HTEXPLOIT to bypass any .htaccess permissions:

HTExploit is an open-source tool written in Python that exploits a weakness
in the way that htaccess files can be configured to protect a web directory
with an authentication process. By using this tool anyone would be able to
list the contents of a directory protected this way, bypassing the
authentication process.


http://www.blackhat.com/usa/bh-us-12-briefings.html#Soler

On Wed, Aug 8, 2012 at 6:18 PM, Lisa Kachold wrote:

> Hi Keith,
>
>
> On Wed, Aug 8, 2012 at 11:50 AM, keith smith wrote:
>
>>
>> Hi,
>>
>> I need to make a directory writable so WordPress can upload images to the
>> directory.  I'm thinking I need to change the group ownership of the
>> directory to Apache with the user remaining the same.  In the past I've
>> change the group and ownership to Apache and was blocked from FTP access
>> after that.
>>
>> Any security issues I need to be aware of?  Other approaches?
>>
>> Any advice is much welcomed!!  Thank you for your help!!
>>
>> 
>> Keith Smith
>>
>
> Known Issue:  Wordpress asks for a directory location: you set it up as
> 755 and it won't work.
>
> Wordpress works, of course, from PHP and Apache.  So in order to allow for
> Apache ftp you would need to make it writable by Apache and other.If
> you change the group writable permissions your ftp breaks (so don't do
> that!):
>
> Here's more on it:
> http://wordpress.org/support/topic/advanced-problem-image-upload
>
> http://wordpress.org/support/topic/151290
>
> Solution:
>
> You need to use "chmod 777" for uploads to work.
>
> Security Issues:
>
> This is a security risk of course, since there are many spider scrapers
> looking for an open permission directory to be able to write, say a fake
> Phishing Site page for UPS with an email results script.
>
> Solution: (from Wordpress documentation):
>
> Base image directory
>
> The base image directory must be world writable i.e.: chmod 777
> Base image URL
>
> The URL to the base image directory, the web browser needs to be able to
> see it.
>
> Note that the directory can be protected via .htaccess on apache; check
> your web server documentation for further information on directory
> protection. If this directory has to be publicly accessible, remove
> scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We
> only want to store images in this directory and its subdirectories.
>
> On apache you can create the following .htaccess file in your base image
> directory:
>
> 
>  order deny allow
>  deny from all
>   
>
>
>
> --
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> Safeway.com
> Automation Engineer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>


-- 
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
Safeway.com
Automation Engineer
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Re: Making Dir writable by WordPress

2012-08-08 Thread Lisa Kachold 
Hi Keith,

On Wed, Aug 8, 2012 at 11:50 AM, keith smith  wrote:

>
> Hi,
>
> I need to make a directory writable so WordPress can upload images to the
> directory.  I'm thinking I need to change the group ownership of the
> directory to Apache with the user remaining the same.  In the past I've
> change the group and ownership to Apache and was blocked from FTP access
> after that.
>
> Any security issues I need to be aware of?  Other approaches?
>
> Any advice is much welcomed!!  Thank you for your help!!
>
> 
> Keith Smith
>

Known Issue:  Wordpress asks for a directory location: you set it up as 755
and it won't work.

Wordpress works, of course, from PHP and Apache.  So in order to allow for
Apache ftp you would need to make it writable by Apache and other.If
you change the group writable permissions your ftp breaks (so don't do
that!):

Here's more on it:
http://wordpress.org/support/topic/advanced-problem-image-upload

http://wordpress.org/support/topic/151290

Solution:

You need to use "chmod 777" for uploads to work.

Security Issues:

This is a security risk of course, since there are many spider scrapers
looking for an open permission directory to be able to write, say a fake
Phishing Site page for UPS with an email results script.

Solution: (from Wordpress documentation):

Base image directory

The base image directory must be world writable i.e.: chmod 777
Base image URL

The URL to the base image directory, the web browser needs to be able to
see it.

Note that the directory can be protected via .htaccess on apache; check
your web server documentation for further information on directory
protection. If this directory has to be publicly accessible, remove
scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We
only want to store images in this directory and its subdirectories.

On apache you can create the following .htaccess file in your base image
directory:


   order deny allow
   deny from all




-- 
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
Safeway.com
Automation Engineer
---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Making Dir writable by WordPress

2012-08-08 Thread keith smith 

Hi,

I need to make a directory writable so WordPress can upload images to the 
directory.  I'm thinking I need to change the group ownership of the directory 
to Apache with the user remaining the same.  In the past I've change the group 
and ownership to Apache and was blocked from FTP access after that.

Any security issues I need to be aware of?  Other approaches?

Any advice is much welcomed!!  Thank you for your help!!



Keith Smith---
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss