Help
Hi everyone,
Maybe it is more about server configuration issue rather than Yii's.
With chmod 777, Yii's assets directory is writable by everyone. The problem is, we encountered security threat. Because the directory is allowed to be written by others, there are several attempts from outsider to write a phising file in it.
Is there any way better to configure assets directory?
FYI, the website is running on a dedicated server (also runs mail server, etc.) and the phising file owner is apache (in another word, the phising file is ran by PHP script, CMIIW).
Thanks is advance.
Page 1 of 1
Yii's assets Directory Security Issue
#2
- Yii - Yesss It Is !!!
-
- Group: Yii Dev Team
- Posts: 4,556
- Joined: 12-October 09
- Location:Croatia
Posted 22 September 2010 - 01:17 AM
Real problem is how that file has come to be in your server...
Find more about me.... btw. Do you know your WAN IP?
#3
- Elite Member
-
- Group: Members
- Posts: 3,017
- Joined: 06-October 08
- Location:Upper Palatinate
Posted 22 September 2010 - 05:40 AM
mdomba is right of course.
Having rights of 0777 doesn't mean, someone from outside of your box can write to that directory.
So if you have a shared environment, someone else (or some other app or even your Yii app) on that server seems to write to that directory.
BTW even though you often read that you "need 0777" on your assets folder, this is not quite correct. What you really need, is write access for your webserver process. "0777" includes this, as all users now have write access. In my setups i usually do a 0570 (r-xrwx---) and change the group ownership of assets/ to that of the webserver.
But it's up to your sysop to come up with a reasonable permission schema for your box.
Having rights of 0777 doesn't mean, someone from outside of your box can write to that directory.
So if you have a shared environment, someone else (or some other app or even your Yii app) on that server seems to write to that directory.
BTW even though you often read that you "need 0777" on your assets folder, this is not quite correct. What you really need, is write access for your webserver process. "0777" includes this, as all users now have write access. In my setups i usually do a 0570 (r-xrwx---) and change the group ownership of assets/ to that of the webserver.
But it's up to your sysop to come up with a reasonable permission schema for your box.
This post has been edited by Mike: 15 December 2010 - 04:51 AM
#4
- Newbie
- Group: Members
- Posts: 12
- Joined: 22-March 10
Posted 23 September 2010 - 03:57 AM
Thanks for the reply.
Yes, I know it from the beginning, but the administrator won't give me a damn. Rather than fix the problem, he told me to find a way to resolve the problem by myself.
The problem is, owner of the phising file is apache itself. So the biggest possibility is attacker came from http, ran a PHP script or upload a file, then write the file to assets directory.
mdomba, on 22 September 2010 - 01:17 AM, said:
Real problem is how that file has come to be in your server...
Yes, I know it from the beginning, but the administrator won't give me a damn. Rather than fix the problem, he told me to find a way to resolve the problem by myself.
Mike, on 22 September 2010 - 05:40 AM, said:
mdomba is right of course.
Having rights of 0777 doesn't mean, someone from outside of your box can write to that directory.
So if you have a shared environment, someone else (or some other app or even your Yii app) on that server seems to write to that directory.
BTW even though you often read that you "need 0777" on your assets folder, this is not quite correct. What you really need, is write access for your webserver process. "0777" includes this, as all users now have write access. In my setups i usually do a 0670 (r-xrwx---) and change the group ownership of assets/ to that of the webserver.
But it's up to your sysop to come up with a reasonable permission schema for your box.
Having rights of 0777 doesn't mean, someone from outside of your box can write to that directory.
So if you have a shared environment, someone else (or some other app or even your Yii app) on that server seems to write to that directory.
BTW even though you often read that you "need 0777" on your assets folder, this is not quite correct. What you really need, is write access for your webserver process. "0777" includes this, as all users now have write access. In my setups i usually do a 0670 (r-xrwx---) and change the group ownership of assets/ to that of the webserver.
But it's up to your sysop to come up with a reasonable permission schema for your box.
The problem is, owner of the phising file is apache itself. So the biggest possibility is attacker came from http, ran a PHP script or upload a file, then write the file to assets directory.
#5
- Elite Member
-
- Group: Members
- Posts: 3,017
- Joined: 06-October 08
- Location:Upper Palatinate
Posted 23 September 2010 - 05:03 AM
That's most probably the case. One way to find the vulnerable script: You could check the creation time of that file in assets and check the webserver logs for identical timestamps. Dealing with such security break-ins is a tedious job, so good luck...
And one minor correction to my example above: The right code should be 0570 not 0670.
And one minor correction to my example above: The right code should be 0570 not 0670.
#6
- Newbie
- Group: Members
- Posts: 12
- Joined: 22-March 10
Posted 26 September 2010 - 08:46 PM
Mike, on 23 September 2010 - 05:03 AM, said:
That's most probably the case. One way to find the vulnerable script: You could check the creation time of that file in assets and check the webserver logs for identical timestamps. Dealing with such security break-ins is a tedious job, so good luck...
And one minor correction to my example above: The right code should be 0570 not 0670.
And one minor correction to my example above: The right code should be 0570 not 0670.
Hi Mike, sorry for the lack for response.
Ah I never think of that, surely I will check apache's log.
Thanks.
#7
- Newbie
- Group: Members
- Posts: 1
- Joined: 21-August 11
Posted 22 August 2011 - 12:18 AM
Hello everyone,
I'm glad to see this post but, when I set assets to 570, I get an error that the dir isn't writable. 755 doesn't work, only 777.
Note - I'm on my VPS with several sites on it. I also installed through a web app installer Softaculous (like Fantastico). I'm already thinking that is the issue. But this raises the question, are these sorts of installs therefore unsecured?
Thanks in advance.
I'm glad to see this post but, when I set assets to 570, I get an error that the dir isn't writable. 755 doesn't work, only 777.
Note - I'm on my VPS with several sites on it. I also installed through a web app installer Softaculous (like Fantastico). I'm already thinking that is the issue. But this raises the question, are these sorts of installs therefore unsecured?
Thanks in advance.
#8
- Newbie
- Group: Members
- Posts: 2
- Joined: 25-April 11
Posted 27 February 2013 - 11:54 AM
Hi
if user linux
chmod -R 0755 assest
chown apache:apache -R assests
it will be working
if user linux
chmod -R 0755 assest
chown apache:apache -R assests
it will be working
#9
- Master Member
-
- Group: Members
- Posts: 921
- Joined: 20-April 11
- Location:India
Posted 02 September 2013 - 04:56 AM
I have two folders in the same level of protected and assets, named uploads,server.
how to restrict these folders from directory listings.?
.htaccess - "deny from all" is not working for me.
how to restrict these folders from directory listings.?
.htaccess - "deny from all" is not working for me.
Rajith Ramachandran,
Wiwo inc.
| Mobile: 919995504508
Wiwo inc.
| Mobile: 919995504508
#10
- Advanced Member
-
- Group: Members
- Posts: 515
- Joined: 08-August 09
Posted 03 September 2013 - 03:29 AM
You probably need to use
You might also need to add
line.
http://httpd.apache....re.html#options
Options -Indexes
You might also need to add
DirectoryIndex None
line.
http://httpd.apache....re.html#options
#11
- Master Member
-
- Group: Members
- Posts: 921
- Joined: 20-April 11
- Location:India
Posted 03 September 2013 - 06:43 AM
Thank you verymuch :-)
Rajith Ramachandran,
Wiwo inc.
| Mobile: 919995504508
Wiwo inc.
| Mobile: 919995504508
Share this topic:
Page 1 of 1