Problems with 777 and PHP permission

Asked

Viewed 182 times

0

I have a problem involving PHP and 777 permission. On my server, there is an uploads folder with permission 777, and a hacker managed to upload a file .php in that folder, which changed everything that was on my server. I would like to know how to do this and how I can avoid this vulnerability.

  • You need to bar the upload by extension. The issue that you cannot allow the upload of a file is . php, . py, etc. Because these files are interpreted by the server when requested. Your upload function needs to be handled to prevent these files from being uploaded.

  • Thank you, you helped me so much so I think that should be because my script is without this filter.

  • For example, if you need to upload photos, then put the filter for files that end with the name (.jpeg, .png, .jpg, .bmp, etc.), otherwise the upload cannot be done.

  • As the hack has already been done advise, change root user name of the database, if you have ssh access, change user name and password.

  • you also work with that permission or you think it is unnecessary?

1 answer

3

Here are some safety tips when working with upload files in php:

  • Store the upload files outside the root directory of your web application. This way the files cannot be accessed directly by the browser.
  • Do not store the upload file with the same name configured in the upload form. Generate a random name and control it in the database.
  • Check that the mime-type of the file matches the type of file you want to upload. Don’t just rely on the file extension or the HTTP Content-type header. For example, if you want to ensure that the upload file is a gif image:

    <?php
    $finfo = finfo_open(FILEINFO_MIME_TYPE);
    $mime_type = finfo_file($finfo, "image.gif");
    finfo_close($finfo);
    
    if($mime_type == 'image/gif') {
        // arquivo é gif
    }
    

Browser other questions tagged

You are not signed in. Login or sign up in order to post.