InveoStore.com

[e-electr]

Hi there,

After a quick look trough my web server files... I have seen some strange php files on my server, in /cache/fancy-data/
Of course, this was possible because the MSU script need to be able to write to this file, but this is a security risk we all have to assume if we need this script or is any way of changing this!?
Every time I add a new product / category, I have to chmod /cache/fancy-data/ to 777.
With the .htaccess file, I can understand... but with this fancy-data... I really need to change this.
Do we have any solution?
Why we don't have a !!warning!! in our install.html from MSU about this possible issue

Best regards

[e-electr]

Every time I add a new product / category, I have to chmod /cache/fancy-data/ to 777.

No worry, We can not chmod 755 !!! The worst possible case, a visible warning that our fancy-data/ file is not writable.
We have to stick with a big hole in our web shops?

Please do something guys!
I will be able to pay, as long this issue is corrected. Please!

Best regards,

[~J~]

This is not any issue or security risk. .htaccess file needs to be writable only during installation and /cache/fancy-data/ directory is writable only by PHP scripts which are able to access this directory. For other cases there is also .htaccess file in this directory. This may be security risk only if you place stupid PHP script with security hole on your web server which allows attacker to upload PHP script (it is security risk no matter whether MSU is used or not).
It can not be done better way from PHP development point of view, but if you really want to increase your security, there are some extensions such as http://www.suphp.org/ (slower) or http://www.fastcgi.com/ with http://httpd.apache.org/docs/2.0/suexec.html (faster) for PHP improving this behavior.