I run a file sharing site, built on Codeigniter, PHP 7.
We recently found one of the files in our www/application/controllers dir was very slightly edited to change a download request for 1 in every 3 Windows users, which pointed them to a malware file instead (which had been uploaded to our server legitimately)
The SSH access is locked down with a private key which only I have.
The dir/file permissions were possibly not great at the time, maybe 755 or even 777.
I'm trying to figure out how a file that isn't in a public directory was edited when I'm fairly confident they couldn't have obtained SSH access.
Are there any known vulnerabilities with CodeIgniter that would allow this?
Related
I know this probably is a subject many other places as well, but I have tried many of the things written in other posts, and still no luck.
I am running a Ubuntu VPS with apache, ftp and php.
My goal: Every time I add an image to a folder the image should be accessible for the public. I have tried different chmod-commands but still no luck.
I want each image to have access rights: rwxrwxrwx, but as default when I upload them to the the folder through Filezilla they end up with access rights rwx-------.
I hope also I have given enough information. Please comment below if not, and I will provide as fast as possible. ( I am kind of new to the game, sorry about that)
You can change the default permission in your ftp server. I don't know which ftp server you're using? Or you can build a script that changes the permissions and execute this.
Solved
I figured out who the current user was using PHP and managed to set the new directories' owner to be the user the PHP scripts are executed from. However, this was still causing issues as some other commands (used to determine who the current user was) weren't working. This highlighted that the problem was that my PHP distribution was configured to be in safe mode.
I disabled safe mode and the commands provided by Ed Manet allowed me to add/edit/remove the files as desired, without the shortcut of just having everything be 777 permissions.
Thanks for the help!
Original Post
I have a web application that stores some data on the server. This involves creating and removing both directories and files (as well modifying existing files) in PHP. The main problem I'm having is do with the permissions required to perform such actions.
If I set existing files' permissions to 777, then the PHP script can edit them just fine (although I know this isn't an optimal solution as it's insecure). The script can also create and remove directories just fine (when they have 777 permissions at least), but no matter what I do I cannot get the script to create new files.
I've done some searching around and it appears that I need to elevate the PHP "user" to a user that has the required priviliges. However, when it comes to server configuration and permissions I'm essentially a beginner. How would I change to a different user to perform the required actions? Is it possible to do this mid-script and use PHP's fopen() and chmod() functions as normal? Or would I have to spawn an entirely new process using a shell command, somehow getting that external program executing with the correct privileges?
To summarise, I need a new of creating, modifying and deleting files/directories in a we b server using PHP, by assigning adequate permissions to the files and privileges to the PHP user. I am unsure on how to do this.
Thank you.
What I would do is change ownership of the folder that the PHP has to create files in to the account that runs the PHP process. Then you don't need to open up permissions so much.
So if this is a Linux system and the webserver is run by a user called "apache":
chown -R apache /path/to/the/files
Then change permissions to owner read/write
chmod -R 644 /path/to/the/files
I am working a LAMP web app running on Ubuntu 11.10.
I followed instructions on the web to harden my apache, php and mysql.
I have a PHP script which work fine when I run from the command line under my own id. But when I put the scripts into the web app framework, it can't not even open a log file to write (in /tmp) and it can't read other files in /var/www/myapp/html as well.
I used Ajax to retrieve file contents on the server and then serve those files to the browser. So my url will look like: "php/myphpscript.php?arg=.......".
My directory structure is
/var/www/myapp/html|php|js|cfg.
I know this problem has something to do with permission, security but I am quite at loss.
Can someone describe what I need to do here?
Thanks,
I suspect you copied the files with your username, but apache executes as user www-data an thus has no access to your files. Either change them to belong to the apache user, or if you are the only develper on this machine, cahnge apache to run as you.
This problem occurred to me multiple times now, and it's time for me to do it the right way!
How can I upload a website to the server, where php has access to the folders for writing data.
Usually I use an FTP program, but I can't upload as root, so there are restriction problems all over the place...
How do you do stuff like this?
Thanks!
EDIT
I'm sorry, I accidentally added rails to the tags instead off php.
Probably I need to clarify my problem, since the answers didn't really help me out here:
I already have a server running apache, DirectAdmin and some other stuff like rails.
And the problem is when I upload a website like joomla or wordpress via FTP the restrictions always need to be set to 777/775 or these sites can't write to the folders..
So what I need to know is:
How can I upload these sites (via FTP/SSH) as a user (root) that is the same as php, so that php can create files in all folders it needs to write to?
Hope I'm being more clear now, thanks for the help so far!
Use a server with ssh access and full write access to wherever your Rails app is hosted (and usually ssh access is as the user that Rails runs as).
For me this usually means a VPS type server, I like Rackspace Cloud which turns out to be around $11 - $15 per month for a low traffic, low spec server. I've also heard good things about Linode
The solution
Upload your site with FTP
SSH to the server and go to the public_html folder
chown -R [user_name]:[group_name] [folder_name]
For me the right user was apache..
When I download a file with curl through php I cannot seem to be able to delete it afterwards through ftp. I can delete it through the php script, but that's not exactly perfect. If the file isn't downloaded via curl, but still via php I can delete the file, it's just ones downloaded via curl that I cannot delete. When I try to run chown() through php on the file it gives me a permissions error. I've tested the same php script on multiple other servers and it works fine there, it's just this particular one it doesn't work on. Maybe it has something to do with php configuration and permissions but I'm not 100% on that.
Sounds like it is saved with the file owner being the user account of the web server. A non-privileged account can't chown to a different user, either, so that explains why chown fails... Try having PHP execute chmod 777 on the file before you delete it.
When you create a file it is usually owned by the Apache user (or whatever app server you use). The FTP user however is not the same one most of the time. You can fix this by adding the FTP user to the Apache group (or the other way around). Sometimes they already share a group (like on many plesk environments) so making files readable and writeable for that shared group may solve the issue.