Skip to main content
W
woolfcom
Participant
September 7, 2009
Question

CHMOD 777 - Is This Hosting Setting Insecure?

  • September 7, 2009
  • 1 reply
  • 1049 views
  • I am looking at using an off-the-shelf script.
  • The script requires CHMOD 777 settings

I read variously that such a setting is insecure.

  1. Is this insecure
  2. If so, could someone kindly explain how
  3. If it is insecure, how would such scripts be made secure and still function?

W.

This topic has been closed for replies.

1 reply

David_Powers
David_Powers
Inspiring
September 7, 2009

chmod 777 is the least secure of all web server settings and should be used as little as possible. A value of 7 means "read, write, and execute". The first digit is for the owner of the file, the second for members of the same group (as defined by the server administrator), and the third is for anyone.

Although 777 is the least secure setting, what usually matters more is the level of security built into the script. A badly written script can do far more damage, even if it has more secure chmod settings.

W
woolfcomAuthor
Participant
September 8, 2009

Could you give some concrete examples of what you mean when you say that the script may be badly written.

I am looking for some guidance on what to look out for or questions to pose to a script designer to ensure the intergrity of the same.

W

David_Powers
David_Powers
Inspiring
September 9, 2009

Could you give some concrete examples of what you mean when you say that the script may be badly written.

PHP security is a vast subject, but the most common error is the use of unfiltered user input. Take a look at the following article: http://www.sitepoint.com/article/php-security-blunders/. You'll also find a lot of information by doing a Google search for "PHP security".

The problem with identifying a badly written script is that it might do everything it's meant to, so you remain unaware of potential security loopholes. Unfortunately, security is a moving target. Many people, including myself, were caught out a few years ago by an exploit called "email header injection". It turns an online form into a spam relay by injecting spurious code into the email field of a form. Although I have warned users of this forum about it for several years, I still see people using scripts that are wide open to such exploits.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices