View Full Version : uploading pics without 1777 rights on /tmp
kayjay
03-31-2005, 08:53 PM
Is there a possibility to upload pictures without executable permissions on /tmp
for some reason I have to give /tmp +x permissions to make the upload work.
without execute permissions on /tmp it doesnt work
To be honest I dont want execute permissions on /tmp as it is a security risk
Connie
03-31-2005, 08:57 PM
every upload procedure which is started from a serverside-process first loads the file to some region, for that it is /temp
then the script does some steps, for instance copy one version to the thumbnail-directory, crop that etc.
there will be no change on that behaviour as far as I can see it
and that is no strange special behaviour of PixelPost, how do the others handle this :?:
kayjay
03-31-2005, 10:00 PM
I hoped there was a solution to this problem
one of my domains had been DoSsed last night by using the upload function and executing some script in /tmp as it has 777 permissions.
I understand reading and deleting files / jpg's etc. but why should an image be executable ?
The execute permission on tmp does not mean that images in it are executable. In Unix, the execute permission on directories means that a user can cd to the directory. Making /tmp not executable will not protect you from hacks like the one you saw last night (actually it will to an extent because then no web application will be able to upload anything ;) )
If you are running phpBB, you should look at upgrading it to the latest version. There is a know vulnerability in it very similar to what you are describing. If not, check other web applications you are running and make sure your version of php is patched.
kayjay
04-04-2005, 09:31 AM
Yes, I did some googling about it and I've found out that this is a known overall problem with webservers and uploading.
The only thing I can do is to prevent users like apache to use some binaries like /usr/bin/perl, usr/bin/wget and /usr/bin/lynx which are used to download malicious content and to execure it.
also to use /bin/false as the default shell for the apache user is advised. (/etc/passwd)
mod_security is being advised as well , although I have to do some research about this.
vBulletin® v3.7.3, Copyright ©2000-2013, Jelsoft Enterprises Ltd.