This forum is no longer open and is for reading/searching only.

Please use our new MachForm Community Forum instead.

MachForm Community Forums » MachForm 2

Data folder security?

Started 14 years ago by ryanmc | 2 posts |


  1. ryanmc
    Member

    I recently noticed in my data folders a file called mshell.php, now after a quick search I noticed this was a script called mshell.php in the files and css folders. Now the data folder had the permissions required by install, now I'm worried as they'll of been able to scraped config.php grab db user and pass (changed) now, it seems to only be the forward facing forms that users fill in that have had uploads.

    Is permission 666 safe and what can I do to stop rouge scripts being posted in the folder?

    Also please note that I'm assuming these settings were the issue, although I do beleive that my error somewhere has to do with this problem and not the software, however other folders on this hosting are uncomprimised.

    Posted 14 years ago #

  2. yuniar

    Ok, so basically machform require writable permission to data folder, so it could save any files uploaded by the form.

    Depends on your hosting configuration, some site can use 755, while other site needs 777.

    777 is less secure than 755, but always work.

    Try to set your data folder permission to 755 and try to create a new form with file upload field. If the upload works properly, then you can use the 755 permission.

    However if you want maximum security, you can do the following:

    1) Edit your config.php and set your UPLOAD_DIR to use private folder outside your website document root. So nobody could access it from outside.

    2) Edit your config.php and change the DATA_DIR to use a scrambled folder name. Don't use the default "data" folder. You can change it to "mycss" or something.

    3) Remove the "write" permission from your "mycss" folder. You can set the permission to 555. However, each time you need to create a new form, you need to manually change the permission of your "mycss" folder to writable.

    If you do all those 3 steps, it would offer maximum security, since there is no writable folder.

    However, if step #3 seems to be quite a hassle, at least you can do step #1 & #2 above.

    Anyway, even though you found the backdoor script inside machform data folder, it doesn't mean it coming from there. It could be coming from any script or exploitable part of your site.

    I suggest to also do a full security audit to all your files.

    MachForm Founder

    Posted 14 years ago #

RSS feed for this topic

Reply