WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] CHMOD Security Issue (16 posts)

  1. leMaxim
    Member
    Posted 8 years ago #

    This deals with my concerns in this thread:
    http://wordpress.org/support/topic/77231

    (According to Yosemite, in the above thread) My hosting environment needs a plugin directory (image-headlines) to be CHMODED to 777 in order to function.

    Is this, or is this not a security vulnerability?
    -If so, what are possible consequences?
    -Can somebody modify/delete my files?
    -Exploit my php?

    -If so how can I prevent it while maintaining 777?

    Thanks in advance!

  2. MichaelH
    Member
    Posted 8 years ago #

    Maybe this Codex article might help:
    http://codex.wordpress.org/Hardening_WordPress

    Codex seems down right this second so if needed, check the cache copy at Google

  3. leMaxim
    Member
    Posted 8 years ago #

    It doesn't exactly address my issue...

  4. lhk
    Member
    Posted 8 years ago #

    Hi,

    yes it is. I'd talk to your host. 755 should suffice with a secure and tight server setup.

    And if the host doesn't change, I'd change the host. Bound to eventually be in trouble you are. And there are quite many good hosts with an eye on security out there.

  5. leMaxim
    Member
    Posted 8 years ago #

    Yeah...my host is nearlyfreespeech.net their PHP is in safemode and setup is a pain. But it gets the job done. Grr. So if I have the dir on 777, what's the worst that can happen?

  6. lhk
    Member
    Posted 8 years ago #

    Then change your host. There are quite a few really good ones out there.

  7. leMaxim
    Member
    Posted 8 years ago #

    I know, but im asking, whats the worst that can happen? What kind of exploits?

  8. yosemite
    Member
    Posted 8 years ago #

    Someone else could read/explore the directory. Beyond that you have to look at the permissions on the files inside, as well as their owner/group.

    The quick answer is don't worry. Between Safe Mode and your host's security the only salient concern is that someone could read the files in that directory. Long as there's no seekrit, sensitive info in those files you'll be ok.

  9. leMaxim
    Member
    Posted 8 years ago #

    That's interesting. Well I can't even explore the directory when I type it in. But nobody can delete/modify those files?

  10. manstraw
    Member
    Posted 8 years ago #

    exploring the directory can be separately disabled.

    the real risk comes from someone else who has access to your server. perhaps another web account on the same server. or a poorly written php script that allows a program to be uploaded that pretends to be a picture. let's say you let people upload pics without any checks, and a hacker uses it to upload a program. If you have execute access to the directory, he might be able to use that space to install *and run* his program.

    now, these days, a chmod of 777 is not as risky as it sounds, at least not on a server wide level. it's just one layer of security. each virtual account is usually chrooted (actually, i don't think cpanel accounts do that, unless that's changed from the last time I used cpanel). you are running your own sort of virtual server environment. in other words, someone who hacks another persons account generally won't be able to even see your account space.

    to hack into your space, it really needs insecurely written scripts in order to do it. so one thing to be concerned about is any plugin that uploads something. it simply must check the data it's plomping into your account space is actually what it's supposed to be.

    the topic is too large to discuss here, and i'm not an expert. I've had encounters with some of these issues though. php, mysql etc. can have their own security flaws. be sure your webhost is on top of that end. for your end, be careful what you install into wordpress, and keep wordpress up to date. if a hole is discovered plug it. worry about these things more than a directory that has permission of 777. but still, change it to 755 if you can.

  11. leMaxim
    Member
    Posted 8 years ago #

    Thank you! I've finally got my answer.

  12. phaertes
    Member
    Posted 7 years ago #

    Some additional: I had my directory set at 777. A few months later I found a number of .php files in the directory that were spewing out spam onto Google. I've had to remove access to this directory... 777 is NOT safe on all servers. 755 didn't work for me. Talk to your host.

  13. whooami
    Member
    Posted 7 years ago #

    "these days, a chmod of 777 is not as risky as it sounds"

    as opposed to the what? the olden days when boxes ran on LINUX and Apache? oh wait, that would be the these days one.

    thats some very flawed advice you gave above.

  14. Dgold
    Member
    Posted 7 years ago #

    In another thread Macbrink provided this excellent link

    He said,
    If you have to use 777 you could try to secure your folders with .htaccess
    http://codex.wordpress.org/.htaccess_for_subdirectories

  15. whooami
    Member
    Posted 7 years ago #

    i love it when my suggestions end up in the codex. Apparently I am good for something. :)

  16. ravibangera
    Member
    Posted 7 years ago #

    hi

Topic Closed

This topic has been closed to new replies.

About this Topic