Hi,

I have a php-script which writes uploaded files into a directory. My
php-script gives a specific names to the saved files. I found in the
directory a file which has a name which could not be given by the php-
script. Could it be that somebody (which is not a user of the
operating system) communicate with the operating system (creates
files) without the usage of my php-script? Or it is impossible and I
have to search for a mistake in my script?

Thank you!

On Feb 27, 9:43 pm, Fro <showandbesh...@gmail.com> wrote:
> Hi,
>
> I have a php-script which writes uploaded files into a directory. My
> php-script gives a specific names to the saved files. I found in the
> directory a file which has a name which could not be given by the php-
> script. Could it be that somebody (which is not a user of the
> operating system) communicate with the operating system (creates
> files) without the usage of my php-script? Or it is impossible and I
> have to search for a mistake in my script?
>
> Thank you!

I have found one more possible reason of the problem. May be it is
possible that somebody creates files in my directory using alien (not
my php-scripts). I made a directory to be writable for "nobody" (i.e.
for those who communicate with the operating system via the php-server
that I use). But I am not only person who uses this php-server! So, I
assume that php-server can execute php-scripts which were written not
by me and which (scripts) writes to my directory. Is that possible?

Fro <showandbeshown@gmail.com> wrote:
>
>I have found one more possible reason of the problem. May be it is
>possible that somebody creates files in my directory using alien (not
>my php-scripts). I made a directory to be writable for "nobody" (i.e.
>for those who communicate with the operating system via the php-server
>that I use). But I am not only person who uses this php-server! So, I
>assume that php-server can execute php-scripts which were written not
>by me and which (scripts) writes to my directory. Is that possible?

It's certainly possible, but how would they have found your directory? I
would triple-check my own script first to make sure there were no holes
before I started looking for zebras.
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.

"Fro" <showandbeshown@gmail.com> wrote in message
news:c0cafc32-d170-4ff5-a48e-b751d514e47f@u69g2000hse.googlegroups.com...
> Hi,
>
> I have a php-script which writes uploaded files into a directory. My
> php-script gives a specific names to the saved files. I found in the
> directory a file which has a name which could not be given by the php-
> script. Could it be that somebody (which is not a user of the
> operating system) communicate with the operating system (creates
> files) without the usage of my php-script? Or it is impossible and I
> have to search for a mistake in my script?
>
> Thank you!

Sure, they could hack your server, either just your personal account data or
else the entire server. But it's 100 or 1000 times more likely that they
breached security through a file upload, if you use a reputable third-party
host.

>
> Sure, they could hack your server, either just your personal account data or
> else the entire server.
You say that they can hack:
1. My server.
2. My personal account data.
3. The entire server.
What do you understand under "personal account data"? The operating
system?

To remove "ambiguity" I should say that I do not have "my personal
server". I use a hosting which gives a php-server which has many
users.

> But it's 100 or 1000 times more likely that they
> breached security through a file upload, if you use a reputable third-party
> host.
It is 100 or 1000 times more likely than what?

Fro wrote:
>> Sure, they could hack your server, either just your personal account data or
>> else the entire server.
> You say that they can hack:
> 1. My server.
> 2. My personal account data.
> 3. The entire server.
> What do you understand under "personal account data"? The operating
> system?
>
> To remove "ambiguity" I should say that I do not have "my personal
> server". I use a hosting which gives a php-server which has many
> users.
>
>> But it's 100 or 1000 times more likely that they
>> breached security through a file upload, if you use a reputable third-party
>> host.
> It is 100 or 1000 times more likely than what?
>

I agree with Mason - it's much more likely your upload script has holes
in it than someone hacked your server.

Since you're using a shared host, it's remotely possible that they came
in through another site on the same host. But that's unlikely, unless
your hosting company has no idea what they're doing and other sites on
the host are either hacker sites or don't know what they're doing. But
any reputable host will prevent that from happening.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

"Fro" <showandbeshown@gmail.com> wrote in message
news:63c35a49-304b-453a-baa2-306dc56b07a6@h11g2000prf.googlegroups.com...
> >
>> Sure, they could hack your server, either just your personal account data
>> or
>> else the entire server.
> You say that they can hack:
> 1. My server.
> 2. My personal account data.
> 3. The entire server.
> What do you understand under "personal account data"? The operating
> system?
>
> To remove "ambiguity" I should say that I do not have "my personal
> server". I use a hosting which gives a php-server which has many
> users.
>
>> But it's 100 or 1000 times more likely that they
>> breached security through a file upload, if you use a reputable
>> third-party
>> host.

> It is 100 or 1000 times more likely than what?

It is 100 times more likely that a hacker would break into your site by
hacking your file upload software, than by hacking your server some other
way.

And if it is "some other way", the #1 suspect would be that you compromised
your username/password to your account somehow.

But I still think that my script does not have hole. It is not matter
of believe. It has a simple argumentation (which I have already
mentioned). Here is the only place where I move_upload_file:
$uploadfile = $id."_tmp.jpg";
move_uploaded_file($_FILES['user_file']['tmp_name'], $uploadfile);
I think that all files which were uploaded by my script will have
_tmp.jpg in the end. There are no way to hack the move_uploaded_file
command to upload a file with a name which does not contain _tmp.jpg.

Moreover, I got a response from the company which provides the hosting
which I use.
I say:
"I assume that php-server can execute php-scripts
which were written not by me and which (scripts)
writes to my directory. Is that possible?"

The answer I got:
----------------------------------------------------
Yes, on servers where PHP runs as an Apache module
and .php scripts run under the Apache user nobody
this is possible. This is why setting 777 permissions
is always a concern from a security standpoint.
You may want to consider
adding a .htaccess file containing the following
line which will prevent phpshell and other PHP
scripts from being executed to any world writable
(777) folders which do not contain PHP files:
php_flag engine off
--------------------------------------------------

But I do not understand why .htaccess with "php_flag engine off"
should . I had it and it has been removed by hackers. Moreover,
even if it cannot be removed it should prevent an execution of php-
scripts located in my directory. Is that a problem for hackers? I
think no, because they have another directory where they keep and
execute their php-scripts. Right?