Postscript:
You can use HTEXPLOIT to bypass any .htaccess permissions:
HTExploit is an open-source tool written in Python that exploits a weakness
in the way that htaccess files can be configured to protect a web directory
with an authentication process. By using this tool anyone would be able to
list the contents of a directory protected this way, bypassing the
authentication process.
http://www.blackhat.com/usa/bh-us-12-briefings.html#Soler
On Wed, Aug 8, 2012 at 6:18 PM, Lisa Kachold <
lisakachold@obnosis.com>wrote:
> Hi Keith,
>
>
> On Wed, Aug 8, 2012 at 11:50 AM, keith smith <klsmith2020@yahoo.com>wrote:
>
>>
>> Hi,
>>
>> I need to make a directory writable so WordPress can upload images to the
>> directory. I'm thinking I need to change the group ownership of the
>> directory to Apache with the user remaining the same. In the past I've
>> change the group and ownership to Apache and was blocked from FTP access
>> after that.
>>
>> Any security issues I need to be aware of? Other approaches?
>>
>> Any advice is much welcomed!! Thank you for your help!!
>>
>> ------------------------
>> Keith Smith
>>
>
> Known Issue: Wordpress asks for a directory location: you set it up as
> 755 and it won't work.
>
> Wordpress works, of course, from PHP and Apache. So in order to allow for
> Apache ftp you would need to make it writable by Apache and other. If
> you change the group writable permissions your ftp breaks (so don't do
> that!):
>
> Here's more on it:
> http://wordpress.org/support/topic/advanced-problem-image-upload
>
> http://wordpress.org/support/topic/151290
>
> Solution:
>
> You need to use "chmod 777" for uploads to work.
>
> Security Issues:
>
> This is a security risk of course, since there are many spider scrapers
> looking for an open permission directory to be able to write, say a fake
> Phishing Site page for UPS with an email results script.
>
> Solution: (from Wordpress documentation):
>
> Base image directory
>
> The base image directory must be world writable i.e.: chmod 777
> Base image URL
>
> The URL to the base image directory, the web browser needs to be able to
> see it.
>
> Note that the directory can be protected via .htaccess on apache; check
> your web server documentation for further information on directory
> protection. If this directory has to be publicly accessible, remove
> scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We
> only want to store images in this directory and its subdirectories.
>
> On apache you can create the following .htaccess file in your base image
> directory:
>
> <Files ^(*.jpeg|*.jpg|*.png|*.gif)>
> order deny allow
> deny from all
> </Files>
>
>
>
> --
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> <http://it-clowns.com>Safeway.com
> Automation Engineer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
<
http://it-clowns.com>Safeway.com
Automation Engineer
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)