Not sure of the other security issues, but you can run suPHP which runs PHP as a normal user, which then you can assign tight permissions... Eric On Thu, Aug 9, 2012 at 8:48 PM, Lisa Kachold wrote: > Postscript: > > You can use HTEXPLOIT to bypass any .htaccess permissions: > > HTExploit is an open-source tool written in Python that exploits a > weakness in the way that htaccess files can be configured to protect a web > directory with an authentication process. By using this tool anyone would > be able to list the contents of a directory protected this way, bypassing > the authentication process. > > > http://www.blackhat.com/usa/bh-us-12-briefings.html#Soler > > On Wed, Aug 8, 2012 at 6:18 PM, Lisa Kachold wrote: > >> Hi Keith, >> >> >> On Wed, Aug 8, 2012 at 11:50 AM, keith smith wrote: >> >>> >>> Hi, >>> >>> I need to make a directory writable so WordPress can upload images to >>> the directory. I'm thinking I need to change the group ownership of the >>> directory to Apache with the user remaining the same. In the past I've >>> change the group and ownership to Apache and was blocked from FTP access >>> after that. >>> >>> Any security issues I need to be aware of? Other approaches? >>> >>> Any advice is much welcomed!! Thank you for your help!! >>> >>> ------------------------ >>> Keith Smith >>> >> >> Known Issue: Wordpress asks for a directory location: you set it up as >> 755 and it won't work. >> >> Wordpress works, of course, from PHP and Apache. So in order to allow >> for Apache ftp you would need to make it writable by Apache and other. >> If you change the group writable permissions your ftp breaks (so don't do >> that!): >> >> Here's more on it: >> http://wordpress.org/support/topic/advanced-problem-image-upload >> >> http://wordpress.org/support/topic/151290 >> >> Solution: >> >> You need to use "chmod 777" for uploads to work. >> >> Security Issues: >> >> This is a security risk of course, since there are many spider scrapers >> looking for an open permission directory to be able to write, say a fake >> Phishing Site page for UPS with an email results script. >> >> Solution: (from Wordpress documentation): >> >> Base image directory >> >> The base image directory must be world writable i.e.: chmod 777 >> Base image URL >> >> The URL to the base image directory, the web browser needs to be able to >> see it. >> >> Note that the directory can be protected via .htaccess on apache; check >> your web server documentation for further information on directory >> protection. If this directory has to be publicly accessible, remove >> scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We >> only want to store images in this directory and its subdirectories. >> >> On apache you can create the following .htaccess file in your base image >> directory: >> >> >> order deny allow >> deny from all >> >> >> >> >> -- >> (503) 754-4452 Android >> (623) 239-3392 Skype >> (623) 688-3392 Google Voice >> ** >> Safeway.com >> Automation Engineer >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > > > -- > (503) 754-4452 Android > (623) 239-3392 Skype > (623) 688-3392 Google Voice > ** > Safeway.com > Automation Engineer > > > > > > > > > > > > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >