[TYPO3] Fileadmin got hacked

Gilles Deacur tronno22556 at gmail.com
Mon Jan 23 01:36:22 CET 2006 

Elmar Hinz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>>If I set them all to 777, it all works good.
>>
>>If I set them all to 776, it still appears fine.
>>
>>If I set them all to 774, it works.
>>
>>If I set them all to 754, it works.
>>
>>If I set them all to 755, it works.
>>
> 
> 
> In all this cases the group (your server) can change into the directory.
> 
> 
>>If I set them all to 766, it breaks.
>>
> 
> 
> Here it can not change into the direcotry. (Even Number for group).
> 
> 
> 
>>When I say it works, I mean that it displays in the front end.
>>
>>Right now, I set these to 755 and they are set at myusername:nobody .
>>
>>Is this safe?
> 
> 
> 755 is secure. 750 would be more secure. But with both you can't write to the
> fileadmin by the BE.
> 
> With 775 or 770 you could write. This is also secure, if the server has a good
> configuration. BUT if the server is itself badly configured it may be in this
> cases that other users on the same server can write into your directory by using
> the server.

Starting to understand.

I set it (all 4 folders in question) to 750 and still can see the front 
end and back end.

So I uploaded a picture to a fileadmin folder and it went, but the image 
is overwritten with "no thumb generated!"

I switch it back to 777 and the "no thumb generated!" disappears.


> 
> 
>>I ask because I had it set at 777 before and want to make sure I don't
>>get leeches sucking up my bandwidth again with illegal paypal crud.
>>
> 
> 
> 
> With 777 everybody can write into your directory. That is definitly NOT sure.
> 
> Regards
> 
> Elmar
> 
> 
> 
> 
> 
> - --
> Climate change 2006 is killing people: floods in California, drought and fires
> in Australia, Texas, Sahel, Oklahoma, South Africa. The Bush administration is
> responsible for corruption of the Kyoto Protocol. The US majority is responsible
> to the world for reelection of a convictable [...censored by Echelon...].
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFD1Ar2O976RNoy/18RAhWUAJ9OZzTOtfV0pnjr7BGch+oiH25bQACeO+8g
> N9j/dgZDY3ZaU735GWIPwFI=
> =gGue
> -----END PGP SIGNATURE-----

More information about the TYPO3-english mailing list