Security for Wiki images upload?

Discussion Forum

Forums
>> General Troubleshooting

Subject	Security for Wiki images upload?
Posted by	austicke (DH New User )
Posted on	05/30/05 12:57 PM

This meta.wikimedia.org page about enabling image and file uploads states:

In reply to:
Before you do this, please make sure that your upload directory is configured in a safe manner so it's not possible to upload and execute arbitrary PHP code. Otherwise, someone could upload a PHP file, and might be able to do all sorts of horrible things like delete your entire website. Take a look at Security Guide.

I'd like to enable enable uploads, but what steps do I need to take to avoid problems? Can anyone help?

--
Alec Usticke
alec@usticke.org
www.usticke.org
DreamHost

Subject	Re: Security for Wiki images upload? [re: austicke]
Posted by	ravenoak (DH Familiar)
Posted on	05/30/05 04:00 PM

You need to make sure that the permissions are set so that the proper people have write access while the general public (so to speak) has read access. Very few things need permissions to execute.

Raven Oak

www.ravenoak.net
www.torifest.com
www.6-58.com

Subject	Re: Security for Wiki images upload? [re: ravenoak]
Posted by	austicke (DH New User )
Posted on	05/30/05 04:46 PM

Thanks, ravenoak. Any idea how I do that? :)

--
Alec Usticke
alec@usticke.org
www.usticke.org
DreamHost

Subject	Re: Security for Wiki images upload? [re: austicke]
Posted by	ravenoak (DH Familiar)
Posted on	05/30/05 06:37 PM

You can use shell access (telnet in) to edit the permissions if you know some simple Unix/Linux commands, or if you are using WinSCP to Secure FTP your files in, it allows you to change that right there in the FTP client.

You should probably read this on permissions:
https://panel.dreamhost.com/kbase/index.cgi?area=149&keyword=permissions
(part of the Dreamhost Knowledge Database)
and do a little more looking around the help area mentioned above. Changing permissions can royally f*ck up your site if you don't know what you're doing.
Worst comes to worst, email support and ask for advice on how to approach this. I'd think they'd rather can that email than one that says, "Sorry I messed up my entire account." ;)

Raven Oak

www.ravenoak.net
www.torifest.com
www.6-58.com

Subject	Re: Security for Wiki images upload? [re: austicke]
Posted by	austicke (DH Dreamling)
Posted on	06/05/05 02:22 PM

FYI, I received the following response from support.

In reply to:
To: alec@usticke.org
Subject: Re: [austicke 4607623] Security for Wiki images upload?
From: DreamHost Customer Support Team <support@dreamhost.com>
Date: Sun, 5 Jun 2005 13:59:32 -0700 (PDT)

Hello,

The one click installer sets the correct permissions during the install. Thank you for being aware of potential problems, let us know if theres anything else we can help you with.

Thanks!

--
Alec Usticke
alec@usticke.org
www.usticke.org
DreamHost