Question 777 Security concern for folder-

[kcwayland]

Yes, 3 questions in a row... sorry bout that. Hopefully after this you won't even see me again

The second step of the install is:

2. CHMOD the following folders to 0777
/dbtech/thanks/vbactivity_type

This leaves me some concern about leaving a folder with 777 open. That can just leave us open to attacks. Is this only on install and I can set it back afterwards? OR, if not, is there an optional .htaccess file that I can install to protect the folder from any new files being added that aren't part of the install? For other image folders that have had to have 777 access, I've used the following modification to the .htaccess file.

01	# Don't list directory contents
02	IndexIgnore *
03	# Disable script execution
04	AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .js .jsp .asp .htm .html .shtml .sh .cgi
05	Options -ExecCGI -Indexes
06	 
07	# Only allow access to this directory if they are coming from your domain; excluding you, your server, Google and any other IPs
08	RewriteEngine On
09	RewriteCond %{REMOTE_ADDR} !^(xxx\.xxx\.xxx\.xxx|xxx\.xxx\xxx\.xxx|66\.249\.)
10	RewriteCond %{HTTP_HOST} !^(127\.0\.0\.0|localhost) [NC]
11	RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?yourdomain\.com/ [NC]
12	RewriteRule .* http://yourdomain.com/ [L]
13	 
14	# Secure php.ini and .htaccess
15	RewriteRule ^(php\.ini|\.htaccess) - [NC,F]
16	 
17	# Block shell uploaders, htshells, and other baddies
18	RewriteCond %{REQUEST_URI} ((php|my|bypass)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|c100|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
19	RewriteCond %{REQUEST_URI} (\.exe|\.php\?act=|\.tar|_vti|afilter=|algeria\.php|chbd|chmod|cmd|command|db_query|download_file|echo|edit_file|eval|evil_root|exploit|find_text|fopen|fsbuff|fwrite|friends_links\.|ftp|gofile|grab|grep|htshell|\ -dump|logname|lynx|mail_file|md5|mkdir|mkfile|mkmode|MSOffice|muieblackcat|mysql|owssvr\.dll|passthru|popen|proc_open|processes|pwd|rmdir|root|safe0ver|search_text|selfremove|setup\.php|shell|ShellAdresi\.TXT|spicon|sql|ssh|system|telnet|trojan|typo3|uname|unzip|w00tw00t|whoami|xampp) [NC,OR]
20	RewriteCond %{QUERY_STRING} (\.exe|\.tar|act=|afilter=|alter|benchmark|chbd|chmod|cmd|command|cast|char|concat|convert|create|db_query|declare|delete|download_file|drop|edit_file|encode|environ|eval|exec|exploit|find_text|fsbuff|ftp|friends_links\.|globals|gofile|grab|insert|localhost|logname|loopback|mail_file|md5|meta|mkdir|mkfile|mkmode|mosconfig|muieblackcat|mysql|order|passthru|popen|proc_open|processes|pwd|request|rmdir|root|scanner|script|search_text|select|selfremove|set|shell|sql|sp_executesql|spicon|ssh|system|telnet|trojan|truncate|uname|union|unzip|whoami) [NC]
21	RewriteRule .* - [F]
22	 
23	# Disable hotlinking of images
24	RewriteCond %{HTTP_REFERER} !^$
25	RewriteCond %{REQUEST_FILENAME} -f
26	RewriteCond %{REQUEST_FILENAME} \.(jpe?g?|png|gif|ico|pdf|flv|swf|gz)$ [NC]
27	RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?yourdomain\. [NC]
28	RewriteRule \.(jpe?g?|png|gif|ico|pdf|flv|swf|gz)$ - [NC,F]
29	 
30	# Only the following file extensions are allowed
31	Order Allow,Deny
32	Deny from all
33	<FilesMatch "\.([Jj][Pp][Ee]?[Gg]?|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Gg][Zz]|[Pp][Dd][Ff])$">
34	Allow from all
35	</FilesMatch>
36	 
37	# Block double extensions from being uploaded or accessed, including htshells
38	<FilesMatch ".*\.([^.]+)\.([^.]+)$">
39	Order Deny,Allow
40	Deny from all
41	</FilesMatch>
42	 
43	# Only allow GET and POST HTTP methods
44	<LimitExcept GET POST>
45	Deny from all
46	</LimitExcept>

BUT, if I use that code it won't execute your PHP files. Is there a specific .htaccess file that you could provide to enable an enhanced security on that folder? I looked around on the forum already and didn't see it. Thanks!

 

[Fillip H.]

The reason why the folder is CHMOD'ed is to support the ability to drop new button files for vBActivity. If you either don't use vBActivity, or would be willing to manually CHMOD it when you add a new button / remove an existing one, it's safe to not have to CHMOD that file.

Additionally, you may not need CHMOD if your PHP process runs under the same username as your FTP.

That being said, we've never heard anything about anyone having run across security breaches as a result of our folders, and I can't guarantee we'll be able to support a super locked down system like that.


I do like that htaccess and I may just end up using it for some of the folders here on DBTech during our next maintenance window