Not sure of the other security issues, but you can run suPHP which runs PHP
as a normal user, which then you can assign tight permissions...
Eric
On Thu, Aug 9, 2012 at 8:48 PM, Lisa Kachold <
lisakachold@obnosis.com>wrote:
> Postscript:
>
> You can use HTEXPLOIT to bypass any .htaccess permissions:
>
> HTExploit is an open-source tool written in Python that exploits a
> weakness in the way that htaccess files can be configured to protect a web
> directory with an authentication process. By using this tool anyone would
> be able to list the contents of a directory protected this way, bypassing
> the authentication process.
>
>
> http://www.blackhat.com/usa/bh-us-12-briefings.html#Soler
>
> On Wed, Aug 8, 2012 at 6:18 PM, Lisa Kachold <lisakachold@obnosis.com>wrote:
>
>> Hi Keith,
>>
>>
>> On Wed, Aug 8, 2012 at 11:50 AM, keith smith <klsmith2020@yahoo.com>wrote:
>>
>>>
>>> Hi,
>>>
>>> I need to make a directory writable so WordPress can upload images to
>>> the directory. I'm thinking I need to change the group ownership of the
>>> directory to Apache with the user remaining the same. In the past I've
>>> change the group and ownership to Apache and was blocked from FTP access
>>> after that.
>>>
>>> Any security issues I need to be aware of? Other approaches?
>>>
>>> Any advice is much welcomed!! Thank you for your help!!
>>>
>>> ------------------------
>>> Keith Smith
>>>
>>
>> Known Issue: Wordpress asks for a directory location: you set it up as
>> 755 and it won't work.
>>
>> Wordpress works, of course, from PHP and Apache. So in order to allow
>> for Apache ftp you would need to make it writable by Apache and other.
>> If you change the group writable permissions your ftp breaks (so don't do
>> that!):
>>
>> Here's more on it:
>> http://wordpress.org/support/topic/advanced-problem-image-upload
>>
>> http://wordpress.org/support/topic/151290
>>
>> Solution:
>>
>> You need to use "chmod 777" for uploads to work.
>>
>> Security Issues:
>>
>> This is a security risk of course, since there are many spider scrapers
>> looking for an open permission directory to be able to write, say a fake
>> Phishing Site page for UPS with an email results script.
>>
>> Solution: (from Wordpress documentation):
>>
>> Base image directory
>>
>> The base image directory must be world writable i.e.: chmod 777
>> Base image URL
>>
>> The URL to the base image directory, the web browser needs to be able to
>> see it.
>>
>> Note that the directory can be protected via .htaccess on apache; check
>> your web server documentation for further information on directory
>> protection. If this directory has to be publicly accessible, remove
>> scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We
>> only want to store images in this directory and its subdirectories.
>>
>> On apache you can create the following .htaccess file in your base image
>> directory:
>>
>> <Files ^(*.jpeg|*.jpg|*.png|*.gif)>
>> order deny allow
>> deny from all
>> </Files>
>>
>>
>>
>> --
>> (503) 754-4452 Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> <http://it-clowns.com>Safeway.com
>> Automation Engineer
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> (503) 754-4452 Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> <http://it-clowns.com>Safeway.com
> Automation Engineer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)