Yii Framework Forum: Yii's assets Directory Security Issue - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Yii's assets Directory Security Issue Rate Topic: -----

#1 User is offline   Suryod 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 22-March 10

Posted 21 September 2010 - 10:22 PM

Hi everyone,

Maybe it is more about server configuration issue rather than Yii's.

With chmod 777, Yii's assets directory is writable by everyone. The problem is, we encountered security threat. Because the directory is allowed to be written by others, there are several attempts from outsider to write a phising file in it.

Is there any way better to configure assets directory?

FYI, the website is running on a dedicated server (also runs mail server, etc.) and the phising file owner is apache (in another word, the phising file is ran by PHP script, CMIIW).

Thanks is advance.
0

#2 User is offline   Maurizio Domba Cerin 

  • Yii - Yesss It Is !!!
  • Yii
  • Group: Yii Dev Team
  • Posts: 4,341
  • Joined: 12-October 09
  • Location:Croatia

Posted 22 September 2010 - 01:17 AM

Real problem is how that file has come to be in your server...
Find more about me.... btw. Do you know your WAN IP?
0

#3 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 22 September 2010 - 05:40 AM

mdomba is right of course.

Having rights of 0777 doesn't mean, someone from outside of your box can write to that directory.

So if you have a shared environment, someone else (or some other app or even your Yii app) on that server seems to write to that directory.

BTW even though you often read that you "need 0777" on your assets folder, this is not quite correct. What you really need, is write access for your webserver process. "0777" includes this, as all users now have write access. In my setups i usually do a 0570 (r-xrwx---) and change the group ownership of assets/ to that of the webserver.

But it's up to your sysop to come up with a reasonable permission schema for your box.

This post has been edited by Mike: 15 December 2010 - 04:51 AM

0

#4 User is offline   Suryod 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 22-March 10

Posted 23 September 2010 - 03:57 AM

Thanks for the reply.

View Postmdomba, on 22 September 2010 - 01:17 AM, said:

Real problem is how that file has come to be in your server...


Yes, I know it from the beginning, but the administrator won't give me a damn. Rather than fix the problem, he told me to find a way to resolve the problem by myself.

View PostMike, on 22 September 2010 - 05:40 AM, said:

mdomba is right of course.

Having rights of 0777 doesn't mean, someone from outside of your box can write to that directory.

So if you have a shared environment, someone else (or some other app or even your Yii app) on that server seems to write to that directory.

BTW even though you often read that you "need 0777" on your assets folder, this is not quite correct. What you really need, is write access for your webserver process. "0777" includes this, as all users now have write access. In my setups i usually do a 0670 (r-xrwx---) and change the group ownership of assets/ to that of the webserver.

But it's up to your sysop to come up with a reasonable permission schema for your box.


The problem is, owner of the phising file is apache itself. So the biggest possibility is attacker came from http, ran a PHP script or upload a file, then write the file to assets directory.
0

#5 User is offline   Mike 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 3,013
  • Joined: 06-October 08
  • Location:Upper Palatinate

Posted 23 September 2010 - 05:03 AM

That's most probably the case. One way to find the vulnerable script: You could check the creation time of that file in assets and check the webserver logs for identical timestamps. Dealing with such security break-ins is a tedious job, so good luck...

And one minor correction to my example above: The right code should be 0570 not 0670.



0

#6 User is offline   Suryod 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 22-March 10

Posted 26 September 2010 - 08:46 PM

View PostMike, on 23 September 2010 - 05:03 AM, said:

That's most probably the case. One way to find the vulnerable script: You could check the creation time of that file in assets and check the webserver logs for identical timestamps. Dealing with such security break-ins is a tedious job, so good luck...

And one minor correction to my example above: The right code should be 0570 not 0670.


Hi Mike, sorry for the lack for response.

Ah I never think of that, surely I will check apache's log.
Thanks.
0

#7 User is offline   jaydabby 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 1
  • Joined: 21-August 11

Posted 22 August 2011 - 12:18 AM

Hello everyone,

I'm glad to see this post but, when I set assets to 570, I get an error that the dir isn't writable. 755 doesn't work, only 777.

Note - I'm on my VPS with several sites on it. I also installed through a web app installer Softaculous (like Fantastico). I'm already thinking that is the issue. But this raises the question, are these sorts of installs therefore unsecured?

Thanks in advance.
0

#8 User is offline   kwonder 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 2
  • Joined: 25-April 11

Posted 27 February 2013 - 11:54 AM

Hi
if user linux
chmod -R 0755 assest
chown apache:apache -R assests
it will be working
0

#9 User is offline   Rajith R 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 873
  • Joined: 20-April 11
  • Location:India

Posted 02 September 2013 - 04:56 AM

I have two folders in the same level of protected and assets, named uploads,server.

how to restrict these folders from directory listings.?

.htaccess - "deny from all" is not working for me.
Rajith Ramachandran,
Wiwo inc.
| Mobile: 919995504508
0

#10 User is offline   yugene 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 513
  • Joined: 08-August 09

Posted 03 September 2013 - 03:29 AM

You probably need to use
Options -Indexes


You might also need to add
DirectoryIndex None

line.


http://httpd.apache....re.html#options
1

#11 User is offline   Rajith R 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 873
  • Joined: 20-April 11
  • Location:India

Posted 03 September 2013 - 06:43 AM

Thank you verymuch :-)
Rajith Ramachandran,
Wiwo inc.
| Mobile: 919995504508
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users