I’m just adding this found link, not sure this is legit – since it requires a payment, and also I would never attempt using this myself
http://1337day.org/exploit/description/20352
The directory and file permissions for a default installation of the plugin appear correct (just re-tested with a fresh install of the current release).
You can read more about WordPress Security on this codex page http://codex.wordpress.org/Hardening_WordPress which may help explain why the directory (and files) have the permissions you are concerned about.
I’m not implying that the plugin is doing something bad, however, requiring execute permissions on files that are supposedly static (images) seems to me unnecessary.
It is required, because if I disable execution in the directory the images suddenly cease to appear (return 404).
I might be doing something wrong, but I fail to understand why a directory that should normally contain only images should require an execute permission…
The link you metnion http://codex.wordpress.org/Hardening_WordPress, only specifies a recommended scheme, and concerning the wp-content folder
“User-supplied content: intended to be writable by your user account and the web server process.” (no mention of execution)
And also:
“Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.”
Again, if there is a reason for the execution permission, I’d love to know it, and maybe, just maybe, the explanation can provide me with a solution….
Maybe my initial subject for this thread was too alarmist, and I apologize, I’ve just been attacked one time too many (the hackers, not anyone here), and it was done through the folder created by this plugin, I don’t blame the plugin author for anything, just looking for some help.
Thanks
The directory permissions starting from ../wp-content are 755; which means the “User” (you) can read/write/execute, the “Group” can read/execute and “Others” can read/execute.
Unfortunately the term “execute” is misleading for directories, it is actually referring to being able to access the directory; not being able to “run a script” as the permission allows with files.
This link may be helpful as well: http://www.thegeekstuff.com/2010/04/unix-file-and-directory-permissions/
Looks like i’ve been barking up the wrong tree, 🙁
I’ll go bury my head somewhere dark, and look for a way to control the permissions of the files created in such a directory…
Also i’m still trying to figure out how someone managed to upload a php5.ini file into the above directory (I’m assuming he did it using a script in wordpress, though I’m not sure of anything anymore.
Anyway, as far as nextgrn gallery, this aparently not connected so I’m marking this as resolved
No worries … we are all protective of our sites and just want to find a resolution to any issue that may arise.
You might consider looking at your server logs, or perhaps contacting your web host to have them help/investigate. Best of Luck!
