473,320 Members | 2,024 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

does chmod 666 protect against uploaded file attacks?

Suppose I let users login into my control panel and upload files. They
could upload PHP or Python or Perl scripts and take over the web
server. If the PHP code that handles the uploads automatically chmods
them to 666, the files can not be executed. Does that make them safe?

Jul 17 '05 #1
2 2182
No, this will not make them safe. PHP scripts are interpreted by the web
server-- they don't need to have executable permissions set to run. You
should set a specific set of extensions that you will allow users to upload
and reject any other files.

- Kevin

<lk******@geocities.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
Suppose I let users login into my control panel and upload files. They
could upload PHP or Python or Perl scripts and take over the web
server. If the PHP code that handles the uploads automatically chmods
them to 666, the files can not be executed. Does that make them safe?

Jul 17 '05 #2
*** lk******@geocities.com escribió/wrote (22 Jan 2005 16:11:38 -0800):
Suppose I let users login into my control panel and upload files. They
could upload PHP or Python or Perl scripts and take over the web
server. If the PHP code that handles the uploads automatically chmods
them to 666, the files can not be executed. Does that make them safe?


Automatically making files word-writeable is a rather peculiar security
system... :-?

About the 'executable' bit, PHP scripts are normally not executable, they
need to be processed through an interpreter. I suppose you could accomplish
it hacking with the Linux kernel, but that's not the usual case.
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--
Jul 17 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: smilesinblues | last post by:
Hi, I have to allow my visitors to upload image on my site. I am using the follwoing code to do that: $uploaddir = 'admin/'; $uploadfile = $uploaddir . basename($_FILES);...
2
by: ketulp_baroda | last post by:
Hi I want to determine the content type of uploaded file. File was uploaded by using <input type=file>. How can I determine the content type?
1
by: Spotted Owl Eater | last post by:
I am writing a "File Upload" routine in ASP.NET. Is there class of some kind in .NET that will return the Content Type of the file being uploaded?
10
by: Chris | last post by:
I have a PHP file upload feature that also gives the user the option to assign more than 1 project association to the file. The file's name, title, primary project, etc. is inserted into a...
0
by: Bank of America | last post by:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta...
2
by: helraizer1 | last post by:
Hi all, I've noticed on my friend's site www.sheepeep.com/index.php?p=1 that is easy to manipulate with XSS, I don't mean it in a malicious way at all, just to give an idea as to what people can...
7
by: =?Utf-8?B?TWlrZQ==?= | last post by:
Hi. I have an ASP.NET 2.0 web application which contains an Images directory with all website images. How can I prevent other websites from creating img tags with the source as my images? I want...
5
by: LELE7 | last post by:
I'm new to PHP, but I usually program Windows Apps in .NET(c#, VB). So please excuse my unfamiliarity with code and HTML combined. It seems pretty simple to upload a file to a website using the...
5
by: saurabh9gupta | last post by:
Hello All. I have 2 Files. File 1 - is a new file conataining some data and File 2 is a predefined file in the system Now when the user uploads his/her file for validation, I need to check...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.