How should the permissions of all folders be set in Pixelpost? I know that images and thumbnails must be set to 777, but how to set the others? Most others are set to 755, which seems too open..? (you may notice I am not an expert).

BTW Isn't 777 very risky? Can't other change my photo's because of that?

Thanks!

The best way is to set all folders to 755. Try uploading an image now. If it does, then leave it.

If it doesn't change both the thumbnail and images folder to 775 and try again. If the file upload. Leave it. If it doesn't you need 777 on both the thumbnails and the image folders.

Please report your findings so we can help you further depending on the outcome.

Thanks for your suggestions. I have first changed permissions to 755, but were not able to upload images. At 775 it didn't work as well. Only 777 works. The same goes for the thumbnails folder.

Is this a security risk or am I too paranoid here?

Hans, you're not being paranoid. My site was hacked 4 different times in a period of 6 months. I'm now running PP 1.6 (I recommend upgrading if you're running an older version) and I also installed Schonhose's FTP security addon which requires you to enter your password during the upload of your photo, temporarily sets your folder permission to 777 (to enable the upload) then it locks the folder back to 755 after you're finished. I also am careful to go to my Eleven2 Cpanel to double check and make sure my permissions are all set to 755 (secure).

Schonhose will probably remember the nightmare I had in getting my site back online. He and the Eleven folks helped me a lot, so from my experience I suggest doing what you can to make sure you're safe. Hackers completely took over my site each of the 4 times they got in. I'm just lucky that they didn't overwrite (or delete) all of my 300+ photos. :-)

Good luck!

Thanks for your extensive explanation. I am not very experienced in running websites, and that's exactly why I am concerned. My website is hosted at a professional webhoster, I didn't dare to run it from my home server.

It's good to know other people share my concerns. My photoblog is only online for 1 week or so, and so far I had no troubles. But I am making backups after each major change, just in case...

Thanks also for pointing out Schonhose's FTP add-on. I will immediately install it. Funny, I was checking out Pixelpost add-ons yesterday that might be interesting for me, but completely missed this one.

aat669: there is no proof that your problems were caused by Pixelpost. If it was, a lot of other users would have the same problems you're having.

There are a lot of high-profile pixelpost sites out there attracting more visitors in a day than most of us in a month. We, as developers, have the current "beta" versions live on our blogs and we never have been hacked.

Please remember that. But nevertheless: try the FTP addon, read the documentation on how to set it up and contact me if you need any help.

Nothing bad about Pixelpost, I love the software.

I just installed your FTP add-on. When I click the 'Options' tab, my session hangs. Am I doing something wrong?

I have checked, and it's not the FTP add-on but the 'clickable tags' add-on that I installed at the same time that's causing this.

It says: Line 66, char 5: syntax error.

I removed the clickable tags add-on, Options page works as a charm including the FTP security tab.

From my point of view I know that the most of successful attacks are caused by mis-configurated boxes on which applications are running.
Adding to it bugs in software and behavior of users (unsafety) this gives much better enviroment for hackers to do their bussiness.

It was generally. We are trying to make Pixelpost as safe as it is possible but we cant be responsible for mistakes made by others.

Schon, I didn't say my hack problem was caused by Pixelpost. My post was only to help alert people to a potential security issue surrounding folder permissions. For people like myself who were not aware of the 777 versus 755 permission issue, I think it's only important to point that out. Which is the point for my reply to Hans.

And I'm aware that not everyone has been hacked, but doing a simple search on the forums returns several other people who had the exact problem I had. I won't include the links here, but I did find several that go back as far as Feb 2005. Whether it's a PP problem, host problem, or other, I don't know. That's not for me to say nor did I intend to imply anything in my previous post.

Whatever is causing the security holes (hardware, software, bad set up etc) is not important. What is important is to be aware of the risks, and try to minimize that as much as possible. I am not a html, security or apache pro, which makes it even more important to realise that. For me, that's a reason to host my site with a professional hoster in stead of from my home. I tested it, it works from my home but I just don't have enough experience to make sure everything is safe.

Pixelpost is excellent software. For me, it blew new life into an old hobby.

I just wasn't sure about the folder settings, and my feeling appeared to be correct. Schonhose, thanks a lot for this FTP add-on, it makes me sleep better!

My suggestion for devs (hehe, for myself too) is to add warning somewhere in admin panel about risk of using 777 when there is no limitation where the scripts can be executed. Making it cleaner - hoster can limit enviroment of script to account of user (using one directive in config files of webenv) and when there isnt such solution and user has got folders with permissions 777 then there should be a warining.

Few of this php enviroment settings are:
open_basedir
user_dir
upload_tmp_dir
safe_mode_exec_dir
safe_mode_include_dir