Results 1 to 10 of 23

Hybrid View

  1. #1
    Join Date
    Oct 2008
    Location
    newcastle upon tyne (UK)
    Posts
    876
    Plugin Contributions
    2

    Default Re: Image Handler 2 Security issue?

    Quote Originally Posted by DrByte View Post
    McShane, the "777" is better interpreted as "writable". Back when IH2 was written, "777" was pretty much the only option that would work since PHP was typically configured to run in a way that required that in order to work. Nowadays "755" works for a growing number of server configurations.

    The issue is not specific to IH2.

    The bmz_cache folder needs to be "writable" by PHP because it's a PHP script that creates the files that get inserted into the bmz_cache folders and subfolders when it auto-sizes and/or watermarks the images it creates on-the-fly. If the folders aren't writable, it can't do its job, and thus the addon would be useless.

    If *your* unique webserver setup allows lower permissions to still treat the files/folders as writable, then *you* can simply leave those files/folders at that level that works for you. Many hosts are now using a form of PHP running under CGI or suPHP which means "755" is sufficient to make the files/folders writable, without requiring them to be "777" they way other PHP configurations do.

    The same principles apply to all PHP scripts, including addons and ZC core: a "writable" file is determined by the way the server and filesystem are configured.

    So, yes, in the case of IH2 the specified folders need to be writable ... whatever that means for YOUR unique hosting configuration. Whether 777 or 755 or whatever.


    Got it?
    correct me if i am wrong.. i think you are saying
    777 is bad... all mods that use 777 is bad... bad as in a naught fella can put naughty files in 777 folders...

    so, as IH2 is creating 777 folders this can cause a weakness on a server that uses it??

  2. #2
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Image Handler 2 Security issue?

    Quote Originally Posted by Shane78 View Post
    correct me if i am wrong.. i think you are saying
    777 is bad... all mods that use 777 is bad... bad as in a naught fella can put naughty files in 777 folders...

    so, as IH2 is creating 777 folders this can cause a weakness on a server that uses it??
    No, I didn't say that.

    Some mods, including some of the most popular ones, require "writable" folders. That's not necessarily bad. Even Zen Cart itself requires some writable files/folders for normal operation such as the admin uploading product images, and so on. There's nothing wrong with a mod requiring writable files/folders if there's good reason for it. Granted, where possible that should be avoided, but it's not a reason to call it naughty.

    In the case of your fears, what's bad is using a hosting service that requires "777" in order to make the file/folder "writable by Apache/PHP" instead of being able to use a lower permission level to accomplish the same thing.

    I'm not sure why you're bent on declaring all mods bad for some reason.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Oct 2008
    Location
    newcastle upon tyne (UK)
    Posts
    876
    Plugin Contributions
    2

    Default Re: Image Handler 2 Security issue?

    i'll PM you

  4. #4
    Join Date
    Jan 2007
    Location
    Los Angeles, California, United States
    Posts
    10,021
    Plugin Contributions
    32

    Default Re: Image Handler 2 Security issue?

    Thanks for that DrByte.. In the case of IH2, it turns out that Tim's code was written to make sure that a wider variety of hosting configurations could use it. At that time there were many hosting services that required "777" in order to make the file/folder "writable by Apache/PHP". Though some of these hosts are still out there, things have changed a bit since Tim's codebase was released..

    On some hosts, the folders INSIDE the bmz_cache folder will be created with 777 permissions. While on some hosts the folders inside the bmz_cache will inherit permissions from the parent (which should hopefully be set at 755).

    I've been informed that this difference likely has something to do with how PHP is implemented some hosts server.

    that is, whether it is running as an apache module

    or

    whether is run as CGI
    After doing a little more digging, I discovered that this was the code which drives the directory creation:
    Code:
    /**
     * Creates a directory hierachy.
     *
     * @link    http://www.php.net/manual/en/function.mkdir.php
     * @author  <[email protected]>
     * @author  Andreas Gohr <[email protected]>
     * @author  Tim Kroeger <[email protected]>
     */
    function io_mkdir_p($target){
      global $bmzConf;
    
      if (is_dir($target) || empty($target)) return 1; // best case check first
      if (@file_exists($target) && !is_dir($target)) return 0;
      //recursion
      if (io_mkdir_p(substr($target, 0, strrpos($target, '/')))){
        if($bmzConf['safemodehack']){
          $dir = preg_replace('/^' . preg_quote(realpath($bmzConf['ftp']['root']), '/') . '/', '', $target);
          return io_mkdir_ftp($dir);
        }else{
          return @mkdir($target, 0755); // crawl back up & create dir tree
        }
      }
      return 0;
    }
    Given that the majority or webhosts are now configured differently than when Tim wrote IH2 in 2006.. So it's possible that some of this code may be obsolete for current hosting configurations.

    The changes that I suggested are as follows:
    Code:
    /**
     * Creates a directory hierachy.
     *
     * @link    http://www.php.net/manual/en/function.mkdir.php
     * @author  <[email protected]>
     * @author  Andreas Gohr <[email protected]>
     * @author  Tim Kroeger <[email protected]>
     */
    function io_mkdir_p($target){
      global $bmzConf;
    
      if (is_dir($target) || empty($target)) return 1; // best case check first
      if (@file_exists($target) && !is_dir($target)) return 0;
      //recursion
      if (io_mkdir_p(substr($target, 0, strrpos($target, '/')))){
    /*    if($bmzConf['safemodehack']){
          $dir = preg_replace('/^' . preg_quote(realpath($bmzConf['ftp']['root']), '/') . '/', '', $target);
          return io_mkdir_ftp($dir);
        }else{*/
          return @mkdir($target, 0755); // crawl back up & create dir tree
     //   }
      }
      return 0;
    }
    Still testing, but I think this ought to resolve the issue and allow IH2 to work across most hosting configurations.

    Would love your insight sir..

    Quote Originally Posted by DrByte View Post
    No, I didn't say that.

    Some mods, including some of the most popular ones, require "writable" folders. That's not necessarily bad. Even Zen Cart itself requires some writable files/folders for normal operation such as the admin uploading product images, and so on. There's nothing wrong with a mod requiring writable files/folders if there's good reason for it. Granted, where possible that should be avoided, but it's not a reason to call it naughty.

    In the case of your fears, what's bad is using a hosting service that requires "777" in order to make the file/folder "writable by Apache/PHP" instead of being able to use a lower permission level to accomplish the same thing.

    I'm not sure why you're bent on declaring all mods bad for some reason.
    Last edited by DivaVocals; 24 Jul 2010 at 06:38 PM.
    My Site - Zen Cart & WordPress integration specialist
    I don't answer support questions via PM. Post add-on support questions in the support thread. The question & the answer will benefit others with similar issues.

  5. #5
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Image Handler 2 Security issue?

    It's worth a try.

    Maybe McShane will volunteer to test it to prove that it's working satisfactorily?
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  6. #6
    Join Date
    Oct 2008
    Location
    newcastle upon tyne (UK)
    Posts
    876
    Plugin Contributions
    2

    Default Re: Image Handler 2 Security issue?

    Quote Originally Posted by DrByte View Post
    It's worth a try.

    Maybe McShane will volunteer to test it to prove that it's working satisfactorily?
    i would be more than happy to test. In fact, if you wish i can create you a webspace on one of my servers, give you FTP access and you can play yourself?

    just let me know, it will take 10 mins to set up.
    (but please note, its almost 7pm in newcastle, fast approching beer o clock... try an let me know before 7 otherwise if you want to take me up on the offer it wil be 2moro)

  7. #7
    Join Date
    Jan 2007
    Location
    Los Angeles, California, United States
    Posts
    10,021
    Plugin Contributions
    32

    Default Re: Image Handler 2 Security issue?

    Quote Originally Posted by DrByte View Post
    It's worth a try.

    Maybe McShane will volunteer to test it to prove that it's working satisfactorily?
    Thanks.. I also asked ckosloff and a couple of other programmers to take a look at my proposed code changes.. I also have a few folks testing it as well..

    The downside is that it's likely that older hosting configurations will not be able to use IH2 which is why we will likely just comment the code out (versus removing it altogether) This way those who need the original code can still use it (with a little instruction of course..)
    My Site - Zen Cart & WordPress integration specialist
    I don't answer support questions via PM. Post add-on support questions in the support thread. The question & the answer will benefit others with similar issues.

  8. #8
    Join Date
    Oct 2008
    Location
    newcastle upon tyne (UK)
    Posts
    876
    Plugin Contributions
    2

    Default Re: Image Handler 2 Security issue?

    Quote Originally Posted by DivaVocals View Post
    Thanks.. I also asked ckosloff and a couple of other programmers to take a look at my proposed code changes.. I also have a few folks testing it as well..

    The downside is that it's likely that older hosting configurations will not be able to use IH2 which is why we will likely just comment the code out (versus removing it altogether) This way those who need the original code can still use it (with a little instruction of course..)
    the offer is there if you want it

  9. #9
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: Image Handler 2 Security issue?

    Instead of commenting out the code, you could find out where the bmz safemode flag is set, and change the rules for that to be most compatible across hosting environments.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Image display issue for preview with image handler, please help
    By bengalliboy in forum All Other Contributions/Addons
    Replies: 1
    Last Post: 16 May 2010, 06:34 PM
  2. Is this a database issue? Additional image-handler images not showing
    By crabdance in forum All Other Contributions/Addons
    Replies: 16
    Last Post: 14 Oct 2009, 12:28 AM
  3. Image Handler 2 Issue
    By CRYSTALDOLL in forum All Other Contributions/Addons
    Replies: 1
    Last Post: 12 Sep 2009, 02:41 PM
  4. image handler 2 issue
    By swdynamic in forum All Other Contributions/Addons
    Replies: 6
    Last Post: 9 Apr 2008, 09:14 PM
  5. Image handler 2 addtional image issue.
    By shackle in forum All Other Contributions/Addons
    Replies: 4
    Last Post: 24 Mar 2008, 06:51 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg