Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
www writable security risk?
Avatar
jossif #1
Member since Apr 2007 · 10 posts
Group memberships: Members
Show profile · Link to this post
Subject: www writable security risk?
Is there a security risk in having dokuwiki directories being writable by www?

I just found a roge php script in one of these directories (a Russian cpanel script)

-- Jossi
Avatar
Falkor #2
Member since Apr 2007 · 32 posts
Group memberships: Members
Show profile · Link to this post
That depeds on what you mean by www-writeable.

I can only assume you're using linux or some form of unix...

If www-writeable means "world writeable" (e.g. chmod 0777) then it's definitively a security risk.

If www-writeable means "writeable by group/user www", it shouldn't in general be that much of a problem as long as
the only thing running as "www" is your webserver.

Another solution is to make a group that contains the webserver and yourself, so that you can set "chmod 0775" for all pages.
If you don't have root access, this might be a good idea so that you can delete files manually if needed. I've done that myself.

If your wiki is publicly writeable, I'd disable php-includes as well. Let a plugin include php-scripts that you've written yourself instead
(this would probably be a syntax plugin).

//Falkor
Avatar
purplepaisley #3
Member since May 2006 · 142 posts · Location: UK
Group memberships: Members
Show profile · Link to this post
Just to add a bit more info, for those who might be in a shared hosting environment as I am. Many php scripts need world writeable directories to run at all. I recently had several accounts running rogue php scripts in world writable directories. Apparently this happened because one of the accounts on the server was hacked and they then gained access to other accounts on the server which had directories with full write permissions. This was solved by deploying php open_basedir, to prevent scripts being able to write outside their own home directory.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-12-14, 08:29:11 (UTC +01:00)