file upload chmod 777 status?

jamontoast

how dangerous is it to have one directory on your server as chmod 777? is the worst that can happen someone uploading a script that wipes just that directory? or if the other directories aren't 777, they shouldn't be affected shuold they? is there any safer way to make a set uploading directory? or is there any way to upload to a non 777 directory?

thanks, i really want to get my uploading script working, i'm just using the standard upload form to:

if (move_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'], $uploaddir . $HTTP_POST_FILES['userfile']['name'])) {
print "File is valid, and was successfully uploaded. Here's some more debugging info:\n";
print_r($HTTP_POST_FILES);
} else {
print "Possible file upload attack! Here's some debugging info:\n";
print_r($HTTP_POST_FILES);
}

straight from the php manual

thanks!

Jam 🙂

coreyp_1

Off the top of my head:

If someone found your directory, they could upload a script, yes, but what they are then capable of accessing is not limited to that particular directory. The script could easily sniff around, accessing other parts of your site, reading php files unparsed (getting database connection passwords, etc.), and even though it may not be able to write to other directories, it would know the full contents of what is stored there.

IMO, it's not a good idea to CHMOD 777 anything, but if it is necessary, make it very, very hidden (like don't put the script that accesses the 777 folder into the directory itself)!

HTH

Moonglobe

try 'chown httpd' ? that might work, setting the directory to be owned by the webserver.