4images security problem?

[vibber]

Everywhere I read about php and security I am told that setting a dir and the files in it to chmod 777 is a *major* security risk as an attacker can then put any file in the dir and execute it.

4images creates files and dirs that are chmod 777 and it seems very unsafe. Just because the script checks for file types so that no one can upload e.g. a PHP script *via 4images*, what prevents a hacker from finding *another way* in and putting a file inside the media dirs and execute it?

I think it is revealing that through this whole web site, security issues are not discussed at all.
I would like to hear the developer's thoughts (in detail) regarding the security of putting this script on a server.

[fredfery]

vibber posted this a while ago, I have some concerns too
can we have an answer
Frederci

vibber Posted: 06.05.2002, 03:53    Post subject: 4images security problem?

--------------------------------------------------------------------------------
 
Everywhere I read about php and security I am told that setting a dir and the files in it to chmod 777 is a *major* security risk as an attacker can then put any file in the dir and execute it.

4images creates files and dirs that are chmod 777 and it seems very unsafe. Just because the script checks for file types so that no one can upload e.g. a PHP script *via 4images*, what prevents a hacker from finding *another way* in and putting a file inside the media dirs and execute it?

I think it is revealing that through this whole web site, security issues are not discussed at all.
I would like to hear the developer's thoughts (in detail) regarding the security of putting this script on a server.

[Jan]

See in "includes/constants.php":

Code: [Select]

define('CHMOD_FILES', 0666);
define('CHMOD_DIRS', 0777);

Change this if you want. This works for all directories and files created by 4images.

Jan