freelance84 Posted January 24, 2012 Share Posted January 24, 2012 I have a scenario in which a folders permissions need to be 777. Obviously this is a huge security hole if there is no proper use of htaccess... I have a htaccess file which prevents scripts from being run if somehow somebody managed to get a script in there. And also the same htaccess file will only allow files of a certain type to be served from the said directory... I then suddenly had a worry.. What if now somebody could now write over the htaccess file... I wrote a test php script which attempted to write over the htaccess file and i got a permissions error: Warning: fopen(/home/***/files/.htaccess) [function.fopen]: failed to open stream: Permission denied in /home/***/config.php on line 59 Although I am assuming from both my internet searches and tests... would somebody please be able to confirm if i am correct in saying: "typically only ftp, sftp, ssh and root users to the server are allowed to overwrite a .htaccess file, thus a rogue script (such as a php script) cannot overwite the .htaccess file" I have built a system which will rely on the htaccess file being secure, and if the said htaccess cannot be secure I must rethink my application design so i would veeerrrrryyyyy vveerryyyyyy much appreciate some / any feedback... Thanks a lot, John Quote Link to comment https://forums.phpfreaks.com/topic/255666-who-can-write-over-a-htaccess-file/ Share on other sites More sharing options...
trq Posted January 24, 2012 Share Posted January 24, 2012 I have a scenario in which a folders permissions need to be 777 There is no such scenario, I suggest you rethink that. What are the permissions on the .htaccess file? Quote Link to comment https://forums.phpfreaks.com/topic/255666-who-can-write-over-a-htaccess-file/#findComment-1310613 Share on other sites More sharing options...
freelance84 Posted January 24, 2012 Author Share Posted January 24, 2012 1 - The permissions on the .htaccess file are 0644 2 - The scenario is this: server1.com: sends basic form data (an instruction) to sever2.com/config.php server2.com/config.php: Upon receipt of instruction will run: $file = '/files/filetoget.ext'; $fh = fopen($file, 'w'); $newFile = file_get_contents("http://www.server1.com/filetoget.ext"); fwrite($fh, $newFile ); fclose($fh); If the permissions of the "files" directory on server2.com is not set to 0777 then the script cannot write the file and returns a permission denied error. However with 0777 it can... So with the "files" set to 0777 i then place a .htaccess into the directory to prevent any scripts from running and to only allow images to be outputted. (I can think of two other routes but both require the scripts knowing somehow the ftp access details of server2 which i am trying to avoid) Quote Link to comment https://forums.phpfreaks.com/topic/255666-who-can-write-over-a-htaccess-file/#findComment-1310651 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.