zettageek Posted January 11, 2013 Share Posted January 11, 2013 (edited) Greetings All! This is my first post here, so I'd like to extend a big HELLO to everyone! I look forward to learning more about PHP from all the advanced PHP developers who frequent these forums. I've taken over management of a website that was recently compromised through use of a MULCI shell, as well as SQL injection. I've been working to tidy everything up, and have turned my attention to the image upload directory. Users have the ability to upload images to the website. I believe it could be possible that a user uploaded a PHP script (the MULCI shell) into the image uploads directory, and executed it their to compromise my website. I talked with a Linux security analyst who recommended that I CHMOD that directory to not allow execution of PHP files. Problem is, I'm not sure what permissions should be set to achieve such action, and this is a Rackspace Cloud Site, so I do NOT have terminal access. I tried setting some of my own CHMOD permissions, but it broke loading of images in the site. I'm open to any suggestions. Thanks. Edited January 11, 2013 by zettageek Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/ Share on other sites More sharing options...
zettageek Posted January 11, 2013 Author Share Posted January 11, 2013 A few clarifications: This site is built on top of SMARTY. Not just any users can upload images, they need an admin account first. That being said, I think they got into the admin area through SQL injection, and uploaded the shell through the exploited CMS. (I'm locking the CMS up right now.) I tried CHMODs 644 and 666 on the image upload directory. Both broke the images on the site from displaying in the browser. Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405008 Share on other sites More sharing options...
jcbones Posted January 11, 2013 Share Posted January 11, 2013 I would go with 755 unless you are assigning FTP users, then use 775 making sure the FTP user is in the proper group. Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405011 Share on other sites More sharing options...
zettageek Posted January 11, 2013 Author Share Posted January 11, 2013 Thank you, jcbones. I'll give this a try and get back to you shortly. Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405014 Share on other sites More sharing options...
requinix Posted January 11, 2013 Share Posted January 11, 2013 chmod won't prevent this: changing the directory doesn't matter because it's just the directory and changing files doesn't matter because they're not executed (literally speaking) (probably). A few options: * Assuming you're using Apache, use a .htaccess in the folder to 403 anything that isn't an image. You can then look through access logs to find any requests for a file that 403s. <FilesMatch "\.(?!gif|jpe?g|png|other file extensions)$"> Order allow,deny Deny from all </FilesMatch> * Or you can serve up non-images as plain text (or something else) <FilesMatch "\.(?!gif|jpe?g|png|other file extensions)$"> ForceType text/plain </FilesMatch> * Other options include fixing the upload script to as to not allow non-images to be uploaded... Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405015 Share on other sites More sharing options...
zettageek Posted January 11, 2013 Author Share Posted January 11, 2013 @jcbones The CHMOD change has been applied, and the images are loading correctly. Thanks! @Gurus I like the idea of 403ing everything that isn't images, so I'll go ahead and apply your first .htaccess solution. I'll let you know how this turns out... Thanks again for your help, I'll report back shortly. Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405016 Share on other sites More sharing options...
Christian F. Posted January 11, 2013 Share Posted January 11, 2013 Another thing you should do, is have the image uploader script verify that it's actually an image. Not just checking the MIME type or the filename, but verifying the contents of the file. This can be done with the imagecreatefrom* () functions. Putting the files in a folder outside of the folder root, using a PHP script to to retrieve the file contents and send it to the browser, is another method you could employ. This way it would be impossible for the attackers to have the file be executed by the web server, not to mention the fact that you wouldn't need to save it with the same name as what your users sees. You could easily build some access controls on top of that again, to further benefit from the script. Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405019 Share on other sites More sharing options...
zettageek Posted January 11, 2013 Author Share Posted January 11, 2013 @requinix I copied the contents of your .htaccess file into NANO, and saved it as .htaccess. File contents below: <FilesMatch "\.(?!gif|jpe?g|png)$"> Order allow,deny Deny from all </FilesMatch> To test and see if the .htaccess file would keep PHP files from running, I wrote the following PHP script and uploaded it into the uploads directory: <?php echo 'Script works!'; ?> Unfortunately, my PHP script is still running in the browser, even though we've CHmodded and added the .htaccess. Have I missed something? @Christian F. I'm looking at implementing something like that, though it may be difficult. The site is massive, and disorganized. It'll be a bit of a challenge, so I wanted to at least disable PHP in that exploited directory as a first step, then work through cleaning the code up. Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405021 Share on other sites More sharing options...
requinix Posted January 11, 2013 Share Posted January 11, 2013 Are you allowed .htaccess files at all? If you're not sure then put random nonsense in there and see if you get a 500 trying to browse anything in the folder. Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405024 Share on other sites More sharing options...
zettageek Posted January 11, 2013 Author Share Posted January 11, 2013 Are you allowed .htaccess files at all? If you're not sure then put random nonsense in there and see if you get a 500 trying to browse anything in the folder. Yep, if I put a bunch of gibberish in the .htaccess and upload it, everything in that directory 500s. So basically, I need the correct .htaccess configuration for only allowing images. Anyone? Thanks again, ya'll are great! Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405039 Share on other sites More sharing options...
MDCode Posted January 11, 2013 Share Posted January 11, 2013 .htaccess is a little shady for me. But give this a try: Order Deny,Allow Deny from all <FilesMatch "\.(gif|jpe?g|png)$"> Order Deny,Allow Allow from all </FilesMatch> This should allow only access to the specified image extensions Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405040 Share on other sites More sharing options...
zettageek Posted January 14, 2013 Author Share Posted January 14, 2013 Thanks, SocialCloud! I'll give this a try today and let you know if it works. Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405611 Share on other sites More sharing options...
zettageek Posted January 15, 2013 Author Share Posted January 15, 2013 .htaccess is a little shady for me. But give this a try: Order Deny,Allow Deny from all <FilesMatch "\.(gif|jpe?g|png)$"> Order Deny,Allow Allow from all </FilesMatch> This should allow only access to the specified image extensions That solution worked PERFECTLY. Thank you so much for your help. Everyone was so responsive and helpful! Quote Link to comment https://forums.phpfreaks.com/topic/273030-proper-chmod-for-image-upload-directory/#findComment-1405774 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.