No1Son Posted May 9, 2007 Share Posted May 9, 2007 Hi everyone I ‘am looking for some solution to a recent problem we just encountered if possible …I have searched through hundreds of threads but cant seem to find a definitive solution. Just recently we got hacked nothing to malicious but the worry factor is that they could have done a lot of damage if they’d have wanted to. We had 7 os commerce sites have files placed in the images folder. After investigating the cause it appears the this folder needs permissions of 777 for it to work properly…ie serve images to the web and also allow images to be uploaded via admin ..I found loads of posts talking about php running as root and it appears that ours is too. but we looked into changing this and that’s an even bigger headache…! we also found lots of mentions about securing the images folder buy adding some code to the htacces file but what we cant find is what code we would need to add and I guess the big question is would it solve our problem?????? Sorry to sound totally pathetic on this matter but I guess the true is I, am so any advice would be appreciated. Link to comment Share on other sites More sharing options...
unixfox Posted May 9, 2007 Share Posted May 9, 2007 You don't want 777 on the folders. That is giving read/write/execute permissions. You want 755, that gives it read/executable only and they can't write to the folder. Another thing to do (if you have the capability with your Control Panel) is to restrict that folder from ever being displayed at all or at least password protected. Hope that helps. Hi everyone I ‘am looking for some solution to a recent problem we just encountered if possible …I have searched through hundreds of threads but cant seem to find a definitive solution. Just recently we got hacked nothing to malicious but the worry factor is that they could have done a lot of damage if they’d have wanted to. We had 7 os commerce sites have files placed in the images folder. After investigating the cause it appears the this folder needs permissions of 777 for it to work properly…ie serve images to the web and also allow images to be uploaded via admin ..I found loads of posts talking about php running as root and it appears that ours is too. but we looked into changing this and that’s an even bigger headache…! we also found lots of mentions about securing the images folder buy adding some code to the htacces file but what we cant find is what code we would need to add and I guess the big question is would it solve our problem?????? Sorry to sound totally pathetic on this matter but I guess the true is I, am so any advice would be appreciated. Link to comment Share on other sites More sharing options...
No1Son Posted May 9, 2007 Author Share Posted May 9, 2007 Yes we know the problem is with 777 on the folder. but if we don’t run it at that admin control cant upload files to the image folder We also have cpanel and can password protect the folder but we tried this and it asks for a password when you view the site via the web so that down the pan as well. Now the interesting one is you kindly mentioned hiding the folder 2 things if i may 1) will this stop people from accessing it ? and two if so any idea how to hide it? Cheers for the advice Link to comment Share on other sites More sharing options...
evalguy Posted May 9, 2007 Share Posted May 9, 2007 You can get a lot of .htaccess info and tutorials on the web thru google. In the meanwhile, are you worried about people being able to view the image dir contents? If so, you can add an index.html (or default.htm or whatever your webserver uses as default) file with the comments that the directory is not viewable. However, if someone views page source and gets the path to any image, they'll be able to type in that path and get the image itself. Not sure how you'll stop that, or if .htaccess can even stop that. -Neil. Link to comment Share on other sites More sharing options...
usernamenone Posted May 10, 2007 Share Posted May 10, 2007 First thing you should do in place a blank index.html web page inside your images folder. Second is you only need 0777 permissions on your images folder while updating your products and adding images to that folder. Once you are finished uploading images you should make sure your images are read only again. You can get a lot of .htaccess info and tutorials on the web thru google. In the meanwhile, are you worried about people being able to view the image dir contents? If so, you can add an index.html (or default.htm or whatever your webserver uses as default) file with the comments that the directory is not viewable. However, if someone views page source and gets the path to any image, they'll be able to type in that path and get the image itself. Not sure how you'll stop that, or if .htaccess can even stop that. -Neil. Link to comment Share on other sites More sharing options...
No1Son Posted May 10, 2007 Author Share Posted May 10, 2007 HI Lola I ‘am guessing tat the blank html file will stop them see what’s in the folder if they were to access it direct? Also the changing of permissions would be a night mare as the customers aren’t very net savvy ..! at all so asking them to maybe FTP into the folder and chmod it every time they want to do anything is probably going to be a worse situation than the site getting hacked. I found a file contribution called “protection-of-configuration” It seems that this adds a button to admin to change the file permissions on the 2 config files buy just a click of a button …seems very simple if it works as it says ..was wondering if maybe this could be changed to make the images folder do the same …Any comments would be appreciated if some one has maybe tried this.! Link to comment Share on other sites More sharing options...
oschellas Posted May 10, 2007 Share Posted May 10, 2007 I hope you went through this thread before? Link to comment Share on other sites More sharing options...
No1Son Posted May 10, 2007 Author Share Posted May 10, 2007 Thanks Hell... thats one we missed we will add they file to the image directory now ..so that solves one of the problems ..but would be good if anyone knows of a solution to stop the files from getting there in the first place. Just back tracking a little what if we changed the owner of the file to be the user instead of root? Has anyone tried this and got any joy with the results? I have seen mentiond that php can be set to run as users instead of root…but this option is far to technical for us guys to unfortunately. Link to comment Share on other sites More sharing options...
No1Son Posted May 10, 2007 Author Share Posted May 10, 2007 Update so far so good .! we have created a .htaccess file with the following Options -Indexes Options -ExecCGI php_flag engine Off <FilesMatch "\.(php|pl|sh|cgi)$"> <Limit GET PUT POST> order deny,allow deny from all </Limit> </FilesMatch> this seems to be working so far and saved the hassle of creating a blank .html file if any one has any input to something we have missed ..please comment away ..Cheers Link to comment Share on other sites More sharing options...
phill88 Posted May 20, 2007 Share Posted May 20, 2007 dude, have you ever tried creating a mini password system with mySQL, they could request the picture file name from SQL. Link to comment Share on other sites More sharing options...
Guest Posted May 20, 2007 Share Posted May 20, 2007 We had 7 os commerce sites have files placed in the images folder. After investigating the cause it appears the this folder needs permissions of 777 for it to work properly…ie serve images to the web and also allow images to be uploaded via admin ..I found loads of posts talking about php running as root and it appears that ours is too. but we looked into changing this and that’s an even bigger headache…! we also found lots of mentions about securing the images folder buy adding some code to the htacces file but what we cant find is what code we would need to add and I guess the big question is would it solve our problem?????? Why's that a bigger headache? If you have a dedicated server you should be able to set it up easily. http://www.oscommerce.com/forums/index.php?s=&...st&p=905340 make sure php runs with the correct group ownership. Then you should be able to set the folders to 755. Link to comment Share on other sites More sharing options...
Guest Posted May 22, 2007 Share Posted May 22, 2007 Just came across this and thought I would ramble on for a bit... :-) The issues raised in this post come up time and time again. Firstly, DO NOT just blindly set file permissions to "777" or "755" or whatever. Instead, read the manual and UNDERSTAND what file permissions are and how they relate to users and groups. If is plain WRONG to just say "set file permissions to bla bla bla" - it's completely meaningless without firstly fully understanding what user the web server is running as, what user the "user" is logged in as, etc etc... The only advice that is meaningful with regard to file permissions is top restrict them as far as possible. Any more than this depends on knowing more about the system (see above) Secondly, there is no point in setting any kind of password to restrict reading of the images directory - if you do, how is the customer going to display the images on their web browser? Thirdly, The web server should not run as user root! BAD BAD BAD!!!!! --------------------------------------------------------------------- If you can find an alternative to updating the images rather than through the admin pages of OSC then do so. In order to update images from the admin pages, you MUST allow the web server to write to the images directory. This is a BAD thing and is the most fundamental reason why you got hacked (though things shouldn't have been allowed to get that far anyway). A good alternative is to do something like the following.... Run your webserver as (say) user "www" Make the images directory user/group/permissions something like.... user: rich (assuming 'rich' is the user you use to login to your system command line) group: www Permissions: 750 Set up your web server so that it does not allow uploading of data (see the web server manual for details). Write some llittle scripts that you can run (as user "rich") that will update the images directory for you (I use scp to copy the images to my server and then run a script on the server that transfers the images to the images directory). You should also make sure the script ensures that the correct permissions are set for the image files you have updated. If you do this then you (as user "rich") can update the images directory, the web server can read the images in the images directory but the web server (and indeed nobody else but "rich") can write to the images directory. This is GOOD. While you are at it, make sure ALL the files (.php etc) in the OSC source tree are set to permissions of 440 and the directories to 550. --------------------------------------------------------------------- I think the whole "update images" feature of the admin pages is rubbish because it forces you to compromise your web security (otherwise it won't work). The above solution is much better and MUCH more secure. Rich. Link to comment Share on other sites More sharing options...
No1Son Posted June 1, 2007 Author Share Posted June 1, 2007 Thanks every one for all the advice and help ..i guess what some of this boils down to is experience and knowledge of not just the program but the server and environment its running on. CMOTD what your saying sounds great for many reasons but I guess my technical abilities to instigate this type of configuration on my server is far beyond my capabilities for the moment! Think that the long term solution is to find a better hosting company that can give me better server support when I need it …..mine has been great up till now but all there interested in is talking about STD,STD,STD configuration and upgrades …were I’ am sure that I’ am not the only one to come across programs and configurations that need to be a bit more bespoke.! And that’s were I get left hanging in mid air …lol If anyone knows of a freelancer that is good with servers then i would appreciate a PM with there details :thumbsup: Thanks one again for all the advice Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.