Hi,
I see these directories and subdirectories in there are 777 by default (I downloaded the full installation package):
_data
local
upload
Especially I freaked on seeing the file local/config/database.inc.php not beeing only world readable, what would be bad enough, but also world writeable after the installation process! BIG problem!
Please, guys, piwigo looks really nice, but these are the typical php dev fails from the last decade we are really tired to see!
If you would like to make the install process easy for users and this is the reason for making such sensible information world readable and writable, then you are following a wrong path here: it does not make things more simple for users when you leave them with an easy to exploit set of php scripts on their servers!
Alternative would be to add some chmod to the installation routine or at least add some big red instructions on the screen after installation on how to secure their piwigo install.
The current practice of leaving these files world writable is very dangerous and should be changed asap.
Thanks,
John
Offline
Hi GOPIWI,
777 access permission on these files / folders don't come from Piwigo package but from a possible misconfiguration of your server. On all my galleries, local/config/database.inc.php is 644 and not 777 !
Please, check your hosting settings to fix this.
Offline
I read everywhere it's a security issue but never heard of an exploit based on this
because when you says "the world", it's actually "the server" (and it's users), so it's very limited
so before you must be granted as authenticated user by the server, this is where is the real security deal
http://www.simplemachines.org/community … pic=2987.0
I admit it's not ideal, but it's NOT a security problem
Offline
Hi Eric,
Eric wrote:
777 access permission on these files / folders don't come from Piwigo package but from a possible misconfiguration of your server. On all my galleries, local/config/database.inc.php is 644 and not 777 !
just do this:
wget -O piwigo.zip http://piwigo.org/download/dlcounter.php?code=latest unzip piwigo.zip ls -l piwigo/local
as you can see, in the distribution package these directories are 777.
Please check, thanks.
Thanks for your attention,
John
Offline
I think Zip doesn't store exec flags
it's 777 because unzip is configured to extract in 777 mode
users with a shared host will always use FTP where chmod is redefined when uploading, users with dedicated servers should know they must define a proper chmod and chown in order to use the software
when using netinstall, files are unzipped by PHP, so if the server is well configured, chmod is 755 for directories and 644 for files
Offline
as already said :
- 777 is not mandatory
- 777 is not a security flaw
Offline
mistic100 wrote:
I think Zip doesn't store exec flags
actually I'm sure Zip doesn't store exec flags, it's dependant of the filesystem
simple example : Windows, there is not chmod/chown on NTFS filesystem
even if Zip would store chmod you should never rely on, just imagine toworrow I do myself a release of Piwigo, I only have a Windows system, what would be the chmod for Linux users ?
Offline
Hi,
mistic100 wrote:
it's 777 because unzip is configured to extract in 777 mode
how would you configure unzip "to extract in 777 mode" certain directories and others not?
Unzip preserves permissions - as can be seen with the other directories in the distributed zip, which are not 777.
For the "777 not a security problem" - one question for you to meditate about:
why modern multi-user operating systems do have user separation as a built in feature at all?
Hint: shared hosting is a reality. on most linux machines > 1 users / processes are active.
But I certainly do not want to discuss this, I just wanted to indicate that it might be good to double check distributed content and programmatically check permissions at the end of install procedure, like most php developers are doing it nowadays.
Anyway, have a nice day,
John
Offline
mistic100 wrote:
when using netinstall, files are unzipped by PHP, so if the server is well configured, chmod is 755 for directories and 644 for files
so config files with db access info is still world readable?
Two last questions please:
Are you the person responsible in the piwigo team for packaging of the distributed package?
Do you have some dedicated security person on the team?
Thanks,
John
Offline
... like others CMS We didn't invented the wheel
and no one is responsible of anything, just people with different level of access
Pierrick (plg on the forum), the founder, will certainly be happy to discuss that with you. You can contact him
Offline
I am now starting with piwigo and just was about to post on the same issue 3 years later. This is indeed a security issue, I do not want any user with shell access to my server to have write acess to these files, this is ridiculous. The same directories are still being packaged as 777 and I think this is a very simple issue to be resolved. Instead of insisting that this is not a security issue, even if you think it is not, wouldn't it be easier just to make sure that these directories are delivered as 644?
three years after the original poster and I am finding the very same directories with these permissions.
potuz wrote:
wouldn't it be easier just to make sure that these directories are delivered as 644?
And more importantly, files with the mysql passwd should certainly be delivered o-r!
Is this an issue (still), and does it also apply to Piwigo.com?
Offline
Whether this is an issue at all depends entirely on your hosting setup. How piwigo.com handles it you'd have to ask there. Yes, 777 is bad, but note also that there is no "one permission setting fits all" approach, the actual necessary and sufficient permissions are not predictable. See [Forum, post 183419 by erAck in topic 31993] What are the correct permissions for Piwigo files and directories ? and for a chmod approach the post linked there.
Offline
Alright, thanks! I will ask at Piwigo.com!
Offline