| Author |
Message |
dad7732
RavenNuke(tm) Development Team
Joined: Mar 18, 2007
Posts: 1242
|
 Posted:
Wed Oct 03, 2007 2:53 pm |
|
Some may not consider this a bug or setup problem but I certainly do.
HTMLNewslettter /archive/ directory requires 777 permissions. Since this is world writeable it's a golden invitation to hacks. I have already had the experience of "doZZer" writing his psybnc files in my 777 directories, especially some of my clients running Gallery. Since chmod these to 755 I haven't had the problems any longer.
My question is there an alternative to 777 in the /archive/ directory that will still allow the HTMLNewsletter to function properly? I get an error if not 777.
Thanks, Jay |
| |
|
|
|
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
| Posted:
Wed Oct 03, 2007 7:42 pm |
|
Couple of things seem reasonable here... Number one, a Newsletter is typically not sent out very often, and secondly, the archive folder only needs to be 777 when the Newsletter is created. Therefore, you should chmod that folder 644 (or whatever) until it is needed. When sending a newsletter, chmod it 777, do your business, and then lock it back down.
That might not be the most elegant solution, but until the author figures out a workaround to needing such permissions for the script to work, this WILL work.
PHrEEk |
_________________
PHP - Breaking your legacy scripts one build at a time. |
|
|
|
|
dad7732
|
| Posted:
Wed Oct 03, 2007 8:11 pm |
|
It's a solution that was already considered but not feasible as my client runs a stock trade service and a news letter goes out sometimes 2 to 3 times daily and I ain't sittin' by the keyboard waiting chmod/unchmod  .... Thanks, Jay |
| |
|
|
|
|
PHrEEkie
|
| Posted:
Wed Oct 03, 2007 8:40 pm |
|
Will the server allow for PHP to chmod from within a script? If so, I can write a quick routine to automatically open and then lock that folder.
PHrEEk |
| |
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Wed Oct 03, 2007 9:36 pm |
|
dad7732, I understand what you are saying, and as the author of this module (since 1.1 on), I have wanted to change that for quite some time. But, my time has been pulled elsewhere.
Having a directory as 777 in of itself is not the root cause problem. There MUST be a hole elsewhere within your site that allows a file upload that is not properly "sanitized" in order for this to be a problem.
Unfortunately, I don't think the directory permission can be changed on the fly. (This is actually a good thing, but doesn't help you.)
Again, unfortunately, this is how the module is currently designed and operating. |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
dad7732
|
| Posted:
Thu Oct 04, 2007 4:13 am |
|
With all due respect, actually 777 is the problem, do some Googling. The only places on the server where the psybnc files were uploaded was in the 777 directories only. The problem was taken care of by either uninstalling applications that "required" 777 or employing a workaround such as in the case of the Gallery module where 755 works in the /albums/ directory. Hopefully we can come with a reasonable workaround in your case, it's a really great module, works quite well .... take care ... Jay |
| |
|
|
|
|
jakec
Site Admin
Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom
|
| Posted:
Thu Oct 04, 2007 6:02 am |
|
|
|
|
|
montego
|
| Posted:
Thu Oct 04, 2007 6:44 am |
|
dad7732, with all due respect, 777 is NOT the CAUSE, it is an enabler for another hole to exploit. Nothing more. Nothing less. I am not saying this shouldn't be changed. I am in complete agreement with you because I cannot control what others add to their systems and if you choose to have a module which allows file uploads and you are not 100% certain that they have coded that module correctly to avoid uploads from occurring outside of their directory structure or not cleanse the uploads themselves.
It is on the top of my list for version 1.4 but I am trying to help get the next release of RN out amongst other things... |
| |
|
|
|
|
dad7732
|
| Posted:
Thu Oct 04, 2007 3:24 pm |
|
Apparently I didn't make myself clear enough. Not just any directory permission at 777 is the problem but rather the application itself that provides the exploit as you say. Nuke Gallery is a prime example as it is one of the favorites to exploit with /albums/ set at 777. However, 755 works but only the admin can upload pictures in our case. Ever since we chmod 777 /albums/ we don't have the problem any longer. I'm NOT saying that HTMLNewsletter is exploitable but I begin to break out in the hives when I run across any PHP app that requires 777 ...
Thanks for the input, Jay |
| |
|
|
|
|
montego
|
| Posted:
Thu Oct 04, 2007 7:42 pm |
|
dad7732, hang with me here a minute as this is an interesting thread of discussion. When you said this:
| Quote: | | in the case of the Gallery module where 755 works in the /albums/ directory |
I should have picked up on the fact that you have 755 working with file uploads using Gallery and on the same web account?  Yet, you are saying that 755 does NOT work on the HNL archives directory?
That is odd. I would have expected that 755 is only working for gallery because your host is running PHP with your account user rather than the Apache user (which is usually "nobody"). They can do this by using tools such as PHPSuExec. Do you happen to know what they are using? But, 755, if it allows YOU to upload, and if Gallery really was the culprit before 755, it still would be if YOU can still upload... right?
What is befuddling to me is that this works for Gallery and not HTML Newsletter. What is different between these two we might ask? I mean, there is no way, *nix-wise, that a user other than your account user can place a file in a directory that is 755. That violates all permission rules known to man. lol. The directory must be "write-able" by that particular user.
But, here is what I suspect has really happened from "doZZer" unless you have 100% proof otherwise: I suspect that he/she actually compromised a different account on the same server and because there is a directory with 777 on it, well, that means it may be possible for them to write, copy, etc. files to that directory if they can figure out the path from the other compromised account. This IS possible, I'll grant you that.
You are right. 777 is not preferred. And, like I said earlier, I've wanted to change that for quite some time. So, I guess, in essence, we both agree. But, interesting discussion nonetheless. |
| |
|
|
|
|
dad7732
|
| Posted:
Thu Oct 04, 2007 8:29 pm |
|
From what I have gathered is that the script-kiddie is using a script that first searches out exploitable modules and then looks for any directory used by that module is 777 and then auto-uploads, again via the script, the files. This only works is if the module is exploitable which Gallery is and continues to be regardless of the latest updates. Since HNL isn't exploitable it is reasonable to ascertain that the 777 exploit will not work, for now anyway.
755 does not work in HNL for the /archive/ directory. Only when chmod to 777 does it work.
To answer your doZZer question, no, a user account has not been compromised, that I am 100% sure. Below is a note from my Son who teaches UNIX at the college level:
--------------------------------------------
With gallery, there is a known hole amongst hackers, and they like to use it. One of the problems is that it requires you to make the directory world writeable, which means that anyone can upload to that folder. This is what folder is writeable, you can see it in the permissions:
drwxrwxrwx /path/to/albums 1536 Sep 13 17:13 albums
Anything that has you change the permissions of your folder to rwxrwxrwx is unsafe. Hackers know how to get in and mess with your site. I would recommend finding another option.
---------------------------------------------------------------
So now we wait and see. I'll let you know if we're compromised in my HNL mod. So far there hasn't been anything of concern as the doZZer only uploads and IRC client - psybnc. Google for psybnc and you'll come up with many hits.
Jay |
| |
|
|
|
|
montego
|
| Posted:
Thu Oct 04, 2007 9:00 pm |
|
But, that still does not explain to me how you can upload to Gallery with 755. It makes no sense. Are you changing the directory manually to 777 prior to uploading and then changing it back?
If Gallery is the hole, and if what you say is true from your Son (which I would think the hole would have been patched by now so make sure you are on the latest-and-greatest with that), then having HNL's archives directory as 777 is inviting trouble so to speak. It means they can use GALLERY to exploit the HNL archives directory.
Keep that in mind... |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
