Re: Making Dir writable by WordPress

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: Making Dir writable by WordPress
Postscript:

You can use HTEXPLOIT to bypass any .htaccess permissions:

HTExploit is an open-source tool written in Python that exploits a weakness
in the way that htaccess files can be configured to protect a web directory
with an authentication process. By using this tool anyone would be able to
list the contents of a directory protected this way, bypassing the
authentication process.


http://www.blackhat.com/usa/bh-us-12-briefings.html#Soler

On Wed, Aug 8, 2012 at 6:18 PM, Lisa Kachold <>wrote:

> Hi Keith,
>
>
> On Wed, Aug 8, 2012 at 11:50 AM, keith smith <>wrote:
>
>>
>> Hi,
>>
>> I need to make a directory writable so WordPress can upload images to the
>> directory. I'm thinking I need to change the group ownership of the
>> directory to Apache with the user remaining the same. In the past I've
>> change the group and ownership to Apache and was blocked from FTP access
>> after that.
>>
>> Any security issues I need to be aware of? Other approaches?
>>
>> Any advice is much welcomed!! Thank you for your help!!
>>
>> ------------------------
>> Keith Smith
>>
>
> Known Issue: Wordpress asks for a directory location: you set it up as
> 755 and it won't work.
>
> Wordpress works, of course, from PHP and Apache.  So in order to allow for
> Apache ftp you would need to make it writable by Apache and other.    If
> you change the group writable permissions your ftp breaks (so don't do
> that!):

>
> Here's more on it:
> http://wordpress.org/support/topic/advanced-problem-image-upload
>
> http://wordpress.org/support/topic/151290
>
> Solution:
>
> You need to use "chmod 777" for uploads to work.
>
> Security Issues:
>
> This is a security risk of course, since there are many spider scrapers
> looking for an open permission directory to be able to write, say a fake
> Phishing Site page for UPS with an email results script.
>
> Solution: (from Wordpress documentation):
>
> Base image directory
>
> The base image directory must be world writable i.e.: chmod 777
> Base image URL
>
> The URL to the base image directory, the web browser needs to be able to
> see it.
>
> Note that the directory can be protected via .htaccess on apache; check
> your web server documentation for further information on directory
> protection. If this directory has to be publicly accessible, remove
> scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We
> only want to store images in this directory and its subdirectories.
>
> On apache you can create the following .htaccess file in your base image
> directory:
>
> <Files ^(*.jpeg|*.jpg|*.png|*.gif)>
>            order deny allow
>            deny from all
>         </Files>

>
>
>
> --
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> <http://it-clowns.com>Safeway.com
> Automation Engineer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>



--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
<http://it-clowns.com>Safeway.com
Automation Engineer
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss