What directories should not be allowed?

[gkontos]

Hi all,

 

last night someone tried to hack my eshop without success but they managed to create a DOS for a few minutes.

 

From logs:

 

PHP Warning:  Error while sending QUERY packet. PID=12517 in /usr/local/www/myangelstones.com/classes/MySQL.php on line 76
[sat Sep 10 03:15:02 2011] [error] [client 85.17.210.232] PHP Warning:  Error while sending QUERY packet. PID=12559 in /usr/local/www/myangelstones.com/classes/MySQL.php on line 76
[sat Sep 10 03:15:22 2011] [error] [client 85.17.210.232] PHP Warning:  Error while sending QUERY packet. PID=12556 in /usr/local/www/myangelstones.com/classes/MySQL.php on line 149
[sat Sep 10 03:15:28 2011] [error] [client 85.17.210.232] PHP Warning:  Invalid argument supplied for foreach() in /usr/local/www/myangelstones.com/modules/blocktags/blocktags.php on line 108
[sat Sep 10 03:15:45 2011] [error] [client 85.17.210.232] PHP Warning:  Error while sending QUERY packet. PID=12537 in /usr/local/www/myangelstones.com/classes/MySQL.php on line 76
[sat Sep 10 03:15:47 2011] [error] [client 85.17.210.232] PHP Warning:  Error while sending QUERY packet. PID=12557 in /usr/local/www/myangelstones.com/classes/MySQL.php on line 76

 

I identified that those attempted sql injections caused mysql server to crash:

 

Sep 10 03:14:47  kernel: pid 1099 (mysqld), uid 88, was killed: out of swap space
Sep 10 03:17:22 kernel: swap_pager_getswapspace(16): failed

 

My question is which directories are really needed to be exposed to users ?

For example is there any particular reason why /classes should be exposed.

 

I would appreciate if someone from prestashop could elaborate on this.

 

Thanks

[gkontos]

Or maybe the question should be, from all the directories in prestashop, which ones should be allowed ?

[marronne]

Hi

 

I think this may be the same question I was going to ask - ie. what permissions should my folders be set to in my FTP. Some say 777 but that leaves it completed exposed?

 

Guidance please Prestashop?

[Carl Favre]

Hi everyone,

 

You can find in the wiki some information about folders and right persmissions :

 

While you have your FTP connected to your Web hosting server, make sure the following PrestaShop folders have ‘write’ permissions (also known as “CHMOD 755” – explanation of file permissions here) but do not apply these permissions recursively (to their subfolders): /config, /upload, /download, /tools/smarty/compile. Then make sure the following folders have ‘write’ permissions and apply these permissions recursively (to their subfolders): /img, /mails, /modules, /themes/prestashop/lang, /translations

 

Is it OK or do you need more information ?

[gkontos]

Is it OK or do you need more information ?

This doesn't answer my question and it is certainly irrelevant from the topic.

File & folder permissions have been discussed many times.

 

My question is which directories are really needed to be exposed to users ?

For example is there any particular reason why /classes should be exposed.

 

So, yes please try to provide some more information that could help secure prestashop sites.

[marronne]

OK for me Carl. Thank you. I must have misunderstood gkontos' original question. Sorry to barge in on your post.

[gkontos]

BTW. The information provided before is wrong. All directories should be chmod to 755 with root owner.

 

Owner	 7 = Execute & Read & Write
Group	 5 = Execute & Read
Everyone 5 = Execute & Read

 

However, prestashop needs to be able to write to some directories like the ones mentioned above.

This means that those directories should be chomd to 777.

 

This is very very bad. If I get a shell in the server I can mess with those directories and files.

 

Instead change the owner of these directories to www:www or to whoever user apache runs as. This is also bad because in case of an exploit in the code or in the service someone can modify those directories but better than 777

 

Always use 644 for files

Owner	   6 = Read & Write
Group	   4 = Read
Everyone   4 = Read

 

Again don't get tempted to use 666, just let apache own the files that need access.

 

Still waiting for an answer from a prestashop expert regarding which directories should not be allowed access at all.

 

George

[gkontos]

I guess no one at Prestashop knows which directories are really necessary to be accessed. Nice to know that you guys are deep in to security issues.

[Maxence de Flotte]

Hi gkontos,

 

Right (chmod) in the server have nothing to do with access for your final user. Files must be readable by apache (all of them), and this is apache which decide or not to allow access to a file.

 

You can forbidden access with apache rules (in htaccess files for example).

 

Some files must be readable for the visitors. There is:

• css
  
• js
  
• themes
  
• modules
  
• download
  
• upload
  
• webservice
  
• img
  

In files like config, classes, ... there is .htaccess who disable access to your visitors:

 

Order deny,allow
Deny from all

 

Apache need right access to :

• img
  
• cache
  
• modules
  
• mails
  
• upload
  
• download
  
• themes
  

777 is never recommended for a file. Generally only read access is needed. For full access, a 666 is enought in most cases.

777 is recommender for dirrectories if we need to right on it. (Read because we need to see it contents, Write because we need to create files, eXecute because we need to go through it).

 

In the install process all dirrectories with right access are references.

 

 

Best regards,

[gkontos]

@Maxence de Flotte,

 

Is it safe to deny:

 

/classes
/config
/controllers
/docs
/tools
/translations

 

all this directories via a directory config directive ?

 

Thanks