Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hack Attempt Or Pure Nastieness !!! Unsure


Pappa Smurf

Recommended Posts

Hack attempt maybe unsure!! When adding product images the image directory has to be set to 777 writable. After doing this and adding my products all was great until like a week later when my sites complete image directory got whiped out any one else have a problem with this ??

Link to comment
Share on other sites

Hack attempt maybe unsure!! When adding product images the image directory has to be set to 777 writable. After doing this and adding my products all was great until like a week later when my sites complete image directory got whiped out any one else have a problem with this ??

 

Any time you are running chmod 777 permissions on a shared server, you are INVITING trouble. One of my pet peaves is the middle permission, given to your group ... whenever I see discussions of permissions on *NIX type systems, people always say 755, 777, 754, 654, etc.. All of these could have (read: should_have) been written 705, 707, 704, 604, etc.. at a bare minimum. There is no reason I can imagine to grant "group" write permissions!

 

More importantly, this leads me a bit to the subject of running php scripts as the user "nobody" on a shared server. When you have permissions set to 777, 707, 607 etc. you are giving the WORLD the permission to write to your directories and files with such permissions as shown.

 

One of the sponsors of osCommerce, pair Networks (look in the upper right corner of this page!) makes available the possibility to install your own php as a cgi, and execute your php scripts wrapped. Here is how pair defines this process:

 

Click here for more information on this topic. ** php-cgiwrap is a "script wrapper" that lets your scripts execute under your own userid and group instead of user nobody and group www. It works in the same fashion as cgiwrap, but handles paths in such a way that it can be used to run PHP pages under your own userid. This allows you to use chmod 700 to lock out other users on the server from viewing the source code. This can be especially important if you are interfacing with a MySQL database, to prevent people from obtaining your password.

 

I wish more webhosting companies would catch on to this practise, and modify their accounts such that a similar process can be run for ALL persons on a shared server.

 

This isn't a commercial plug for pair Networks, this is simply information about their way of executing php scripts that is IMHO safer and much more secure than running chmod 777 on a directory! Anyway, given their sponsor status, nobody should complain. :twisted: I simply like the way they allow cgi installs of php to run wrapped. It's too cool.

 

That's my story, and I am sticking to it!

DTOM - mmm' k

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...