问题
Our website was hacked due the fact a folder had 777 permissions which means people can upload files there and run scripts remotely. However, the folder needs to be 777 as the site got a client feature to crop images, and need to save the cropped images there.
How can I secure this folder and prevent hacking?
Please show me how to do this? Thanks a lot!
回答1:
I would reconsider your design. You should restrict the client to reading and executing (but not writing to) a script that you have written yourself to do the specific task they need. In the script verify that you are operating upon an image file so it can't be used on other files that are not valid images. Do more than just checking the file extension, also check the first several bytes of the file (which for most formats will tell you what it is). File extensions are easily changed.
Never let a user upload their own scripts for execution to your server. Hacking you will be really easy if you do that. If you have "power" users that must be able to do this, create for them their own user account that is sandboxed to their own environment. This way they can't affect other users or your system, and you have non-repudiation on their actions (so if they do something stupid you can hold them accountable), and any security holes they open up will be limited to destroying their files and not yours.
回答2:
CHMOD 777 is inherently unsafe. It's only used to temporarily avoid issues when installing scripts. After installing scripts, you CHMOD it back to something like 755. To secure it, you will have to change the access to something other than wide open.
To have a user crop an image I would recommend a conventional javascript cropper like Jcrop
来源:https://stackoverflow.com/questions/14994975/avoid-hacking-with-folder-has-chmod-is-777