Our site www.viart.com site is operated by latest Viart Shop 5 with default Clear design
Topic Information
daviswe
daviswe
Purpose of this post is to recommend a more secure permission for php and html scripts on our servers.
 
Since Viart code is basically static, and most pages are generated, it seems more secure to block all WRITABLE permissions on the scripts, and allow only READ and EXECUTE permissions.
 
Here's my impression of the current state of one exploit and how it can be stopped by read/execute permissions on static files:
 
The Viart patch to UserUpload.php for multiple file extensions works well to keep the Apache server on your hosting account from processing a malicious file. There is an exploit that takes advantage of the Apache server's ability to ignore the un-recognized ".jpg" extension for a non-image mime type.
 
When the server sees that the mime type and the extension are in conflict, the Apache server will start walking back to the second extension "php", and will find that the ".php" extension and mime type 'image' are proper, and will run the malicious php program the hacker has just uploaded. This is a typical file a hacker would upload, after legitimately registering on your site in order to upload a picture:
 
myAvatarPicture.php.jpg
 
So, at this point, the patch prevents the server from running the file via a check to see if there are multiple extensions, and it works to stop the upload.
 
However, the hacker can still place malicious code in your scripts, via other methods, which in the above case, typically modifies user_upload.php to run a SQL query to replace your PayPal email address with the hackers address, thereby stealing YOUR money when a customer chooses PayPal (or similar) payment method and the customer does not realize that they have been sent to a different recipient and proceeds with checkout.
 
My question for Viart is this:
 
I don't think the 644 permission settings are sufficient to protect the PHP scripts in general. Since our scripts are mostly static for php and html, there is no reason for them to have ANY writable permissions. As administrators, we can always edit one legitimately, but to keep the site safe from code injection into our php and html files, what setting would Viart prefer to use?
 
Note that PHP scripts actually don't have to be 'executable' on an Apache server...
 
Ed
Last modified: 3 Dec 2012 2:17 PM
 
Vera
Vera
Yes our patch only prevents from uploading files like 'image.php.jpg' to the site. To actually forbid server from executing such files as PHP scripts you can try adding in your .htaccess file the following lines:
 
RemoveHandler .php .pht .phtml .php3 .php4 .php5
RemoveType .php .pht .phtml .php3 .php4 .php5
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
 
Sometimes there are not enough rights in .htaccess to redefine hosting settings like mentioned above and then you need to ask your administrator to add the following lines in apache configuration:
 
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
 
 
You can check if it works by creating a file with one line:
<?php phpinfo(); ?>
 
Name it 'test.php.jpg' and upload to the root of your site via FTP. Then try to run this file in your browser http://site.com/test.php.jpg
If you see your server configuration information such as PHP version number etc. then it doesn't work. If you don't see anything then it works.
 
Regards,
ViArt Team
 
daviswe
daviswe
UPDATE: Vera, I made the changes you suggested in the post, and ran the 'http://edsets.com/test.php.jpg' and I got my own '403 Permission Denied' message, and I think that's good enough for me. Obviously the phpinfo() did not run. My site seems to be functioning normally.
--------------------------------original post below-----------------
 
Excellent post, Vera. I'll try that today and see how it goes. I have complete control over my .htaccess and can test it fully.
 
In the realm of business, the attacks will never stop, and having ability to forbid changes to the php via permissions would be a good addition to the server settings you offered in your last post.
 
I can't be sure what is best for settings, but obviously 644 is not sufficient to keep a hacker from writing to one of the boilerplate Viart php or html files!
 
Any thoughts on a mod to the permissions to forbid writing to any static file?
 
Ed
Last modified: 3 Dec 2012 2:31 PM
 
DanielBartsch
DanielBartsch
The same guy seems to be after me now Ed... he used the email address 'edsetspayment@gmail.com' as one of the email addresses associated with his PayPal account.
 
I tried inserting the code from Vera into my .htaccess and it caused all of my pages to come up showing the actual text of the .php script rather than the web pages themselves. Not sure what went wrong there...