Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
chmod security issue
hi guys
i want to know setting chmod to 777 within mybb installation isn a security hole
Required – ./inc/settings.php – 666
Required – ./inc/config.php – 666 (install) 444 (after installation)
Required – ./cache/ – 777
Required – ./cache/themes/ – 777
Required – ./uploads/ – 777
Required – ./uploads/avatars/ – 777
Optional – ./admin/backups/ – 777
Optional – ./inc/languages/*language*/*all files*/ – 666
Optional – ./inc/languages/*language*/admin/*all files*/ – 666

other cms arent in this way
isnt it a security hole
(2011-10-20, 01:43 PM)frostschutz Wrote: It says 777 because it's not really possible to reliably determine the minimum chmod setting that will work on any given host, other than trial and error.

If someone can hack your site because you chmodded something 777, then it's the webserver that was insecure. 775 is just as bad in this case as it gives world-readable rights and if people can read your files they can read your database passwords, and if they can read that you are hacked either way.

Security depends 99% on how the server is set up and 1% on the chmod settings you choose within your shared hosting environment. The 1% still deserves some attention of course, in that you should't make files/directories writable without reason.
No longer involved in the MyBB project.
Last time I checked, phpBB and WordPress required me to make some files/folders writable in a similar fashion and I'm fairly sure they're used a lot more than MyBB and it doesn't seem to cause much of an issue. If something doesn't have permission to be written to, it can't be written to, and we need it to be able to be written to, hence the permissions Smile If a lower setting works on your server then you're more than welcome to use that instead but these guidelines are set as they will work on all servers, whereas less permissive permissions won't always work, and giving people a whole list of permissions to try in order of secure-ness just doesn't work, it confuses people. Having something set to 666 or 777 doesn't inherently make it insecure, as frostschutz said, if the fact something was set to 777 played a part it's because they gained access because of a vulnerability somewhere else first and they managed to write something there that shouldn't be there, e.g. uploading a malicious file to a writable folder because the upload script didn't check it; that's the fault of the upload script, not the permissions. That's just an example but you won't get hacked simply because a folder is writable, a hacker still needs a way to write to it.
MyReactions - All Plugins

Can you still feel the butterflies?

Free never tasted like pudding.

Forum Jump:

Users browsing this thread: 1 Guest(s)