Yii's assets Directory Security Issue

Hi everyone,

Maybe it is more about server configuration issue rather than Yii’s.

With chmod 777, Yii’s assets directory is writable by everyone. The problem is, we encountered security threat. Because the directory is allowed to be written by others, there are several attempts from outsider to write a phising file in it.

Is there any way better to configure assets directory?

FYI, the website is running on a dedicated server (also runs mail server, etc.) and the phising file owner is apache (in another word, the phising file is ran by PHP script, CMIIW).

Thanks is advance.

Real problem is how that file has come to be in your server…

mdomba is right of course.

Having rights of 0777 doesn’t mean, someone from outside of your box can write to that directory.

So if you have a shared environment, someone else (or some other app or even your Yii app) on that server seems to write to that directory.

BTW even though you often read that you "need 0777" on your assets folder, this is not quite correct. What you really need, is write access for your webserver process. "0777" includes this, as all users now have write access. In my setups i usually do a 0570 (r-xrwx—) and change the group ownership of assets/ to that of the webserver.

But it’s up to your sysop to come up with a reasonable permission schema for your box.

Thanks for the reply.

Yes, I know it from the beginning, but the administrator won’t give me a damn. Rather than fix the problem, he told me to find a way to resolve the problem by myself.

The problem is, owner of the phising file is apache itself. So the biggest possibility is attacker came from http, ran a PHP script or upload a file, then write the file to assets directory.

That’s most probably the case. One way to find the vulnerable script: You could check the creation time of that file in assets and check the webserver logs for identical timestamps. Dealing with such security break-ins is a tedious job, so good luck…

And one minor correction to my example above: The right code should be 0570 not 0670.

Hi Mike, sorry for the lack for response.

Ah I never think of that, surely I will check apache’s log.

Thanks.

Hello everyone,

I’m glad to see this post but, when I set assets to 570, I get an error that the dir isn’t writable. 755 doesn’t work, only 777.

Note - I’m on my VPS with several sites on it. I also installed through a web app installer Softaculous (like Fantastico). I’m already thinking that is the issue. But this raises the question, are these sorts of installs therefore unsecured?

Thanks in advance.

Hi

if user linux

chmod -R 0755 assest

chown apache:apache -R assests

it will be working

I have two folders in the same level of protected and assets, named uploads,server.

how to restrict these folders from directory listings.?

.htaccess - "deny from all" is not working for me.

You probably need to use


Options -Indexes

[size="2"]You might also need to add[/size]


DirectoryIndex None

line.

http://httpd.apache…re.html#options

Thank you verymuch :slight_smile: