Image Handler 2 Security issue?

[Shane78]

I coudnt find the right thread so i posted here... (as its a security question, not a IH2 support question)

while i think the IH2 mod is a good mod, there is one thing that has always baffled me. That being IH2's need to have the bmz_cache folder set to 777.

now in the ZC FAQ it says that 777 folders are bad and opens the site to hacks... so, does IH2 put a ZC store at risk of a hack?

[soxophoneplayer]

I had nasty gram from my server a while back about security settings in my zc that were causing 'risk'. They required me to change my folders all to 0755, including bmz_cache. They said that as 'the user' I could still write/ex files as I 'owned them' - something to do with the way they set up and cgi(whatever that is).

Further problem was that IH2 created photos were also not securely permissioned.

I found a patch here: http://www.zen-cart.com/forum/showth...ons#post719447 that showed my how to insert 3 CHMOD statements into admin/includes/ih_manager.php.

I merged the CHMOD statements and edited the permissions to 0644 as required by my server.

That all passed their tests.

That was back in the zc 1.3.8a days and previous version of IH2. I When I upgraded zc to 1.3.9abcd and IH2 to current, I merged those three CHMOD statements along.

[Shane78]

cheers for that!

do you know of any reason why IH2 state this folder has to be set to 777?.. im wondering if they would add this security feature?...

[soxophoneplayer]

Alas, I know very little ;o(

I rely on the monkey-see monkey-do method which, oddly, has been serving me fairly well (albeit slowly!).

[DrByte]

McShane, the "777" is better interpreted as "writable". Back when IH2 was written, "777" was pretty much the only option that would work since PHP was typically configured to run in a way that required that in order to work. Nowadays "755" works for a growing number of server configurations.

The issue is not specific to IH2.

The bmz_cache folder needs to be "writable" by PHP because it's a PHP script that creates the files that get inserted into the bmz_cache folders and subfolders when it auto-sizes and/or watermarks the images it creates on-the-fly. If the folders aren't writable, it can't do its job, and thus the addon would be useless.

If *your* unique webserver setup allows lower permissions to still treat the files/folders as writable, then *you* can simply leave those files/folders at that level that works for you. Many hosts are now using a form of PHP running under CGI or suPHP which means "755" is sufficient to make the files/folders writable, without requiring them to be "777" they way other PHP configurations do.

The same principles apply to all PHP scripts, including addons and ZC core: a "writable" file is determined by the way the server and filesystem are configured.

So, yes, in the case of IH2 the specified folders need to be writable ... whatever that means for YOUR unique hosting configuration. Whether 777 or 755 or whatever.


Got it?

[DivaVocals]

ahh the man himself has spoken.. at the end of the day ther is some language in the IH2 readme from Tim's original document which reflects this (albiet in an ambiguous manner) we never properly vetted this text and I think it is the source of this "security" warning.. With your permission I'd like to use your words here to tighten up the IH2 redme so there will be no more misgivings or misunderstandings on this matter.. Also I need to make sure it is CLEAR that there is nothing in the IH2 code that I am aware of which explicitly changes any of the permissions of any folder contained within the bmz_cache to 777.. (as has been implied) The sub folders in fact will inheirit the permissions of the bmz_cache folder..

McShane, the "777" is better interpreted as "writable". Back when IH2 was written, "777" was pretty much the only option that would work since PHP was typically configured to run in a way that required that in order to work. Nowadays "755" works for a growing number of server configurations.

The issue is not specific to IH2.

The bmz_cache folder needs to be "writable" by PHP because it's a PHP script that creates the files that get inserted into the bmz_cache folders and subfolders when it auto-sizes and/or watermarks the images it creates on-the-fly. If the folders aren't writable, it can't do its job, and thus the addon would be useless.

If *your* unique webserver setup allows lower permissions to still treat the files/folders as writable, then *you* can simply leave those files/folders at that level that works for you. Many hosts are now using a form of PHP running under CGI or suPHP which means "755" is sufficient to make the files/folders writable, without requiring them to be "777" they way other PHP configurations do.

The same principles apply to all PHP scripts, including addons and ZC core: a "writable" file is determined by the way the server and filesystem are configured.

So, yes, in the case of IH2 the specified folders need to be writable ... whatever that means for YOUR unique hosting configuration. Whether 777 or 755 or whatever.


Got it?

Posted via Mobile Device

[DrByte]

It's usually best to simply say "writable", and let them sort that out with their hosting company.
But if you need to quote me insomuch as my comments related to permissions and IH2, feel free.

[DivaVocals]

Awesome!! and thanks again for the clarifiction..

It's usually best to simply say "writable", and let them sort that out with their hosting company.
But if you need to quote me insomuch as my comments related to permissions and IH2, feel free.

Posted via Mobile Device

[Shane78]

McShane, the "777" is better interpreted as "writable". Back when IH2 was written, "777" was pretty much the only option that would work since PHP was typically configured to run in a way that required that in order to work. Nowadays "755" works for a growing number of server configurations.

The issue is not specific to IH2.

The bmz_cache folder needs to be "writable" by PHP because it's a PHP script that creates the files that get inserted into the bmz_cache folders and subfolders when it auto-sizes and/or watermarks the images it creates on-the-fly. If the folders aren't writable, it can't do its job, and thus the addon would be useless.

If *your* unique webserver setup allows lower permissions to still treat the files/folders as writable, then *you* can simply leave those files/folders at that level that works for you. Many hosts are now using a form of PHP running under CGI or suPHP which means "755" is sufficient to make the files/folders writable, without requiring them to be "777" they way other PHP configurations do.

The same principles apply to all PHP scripts, including addons and ZC core: a "writable" file is determined by the way the server and filesystem are configured.

So, yes, in the case of IH2 the specified folders need to be writable ... whatever that means for YOUR unique hosting configuration. Whether 777 or 755 or whatever.


Got it?

correct me if i am wrong.. i think you are saying
777 is bad... all mods that use 777 is bad... bad as in a naught fella can put naughty files in 777 folders...

so, as IH2 is creating 777 folders this can cause a weakness on a server that uses it??

[DrByte]

correct me if i am wrong.. i think you are saying
777 is bad... all mods that use 777 is bad... bad as in a naught fella can put naughty files in 777 folders...

so, as IH2 is creating 777 folders this can cause a weakness on a server that uses it??

No, I didn't say that.

Some mods, including some of the most popular ones, require "writable" folders. That's not necessarily bad. Even Zen Cart itself requires some writable files/folders for normal operation such as the admin uploading product images, and so on. There's nothing wrong with a mod requiring writable files/folders if there's good reason for it. Granted, where possible that should be avoided, but it's not a reason to call it naughty.

In the case of your fears, what's bad is using a hosting service that requires "777" in order to make the file/folder "writable by Apache/PHP" instead of being able to use a lower permission level to accomplish the same thing.

I'm not sure why you're bent on declaring all mods bad for some reason.