[osCommerce] /cache/fancy-data/ and chmod 777

Magic SEO URLs for CRE Loaded.
e-electr
Posts: 6
Joined: Sun Mar 16, 2008 12:40 pm
Location: Madrid
Contact:

[osCommerce] /cache/fancy-data/ and chmod 777

Postby e-electr » Wed Jul 23, 2008 2:38 pm

Hi there,

After a quick look trough my web server files... I have seen some strange php files on my server, in /cache/fancy-data/
Of course, this was possible because the MSU script need to be able to write to this file, but this is a security risk we all have to assume if we need this script or is any way of changing this!?
Every time I add a new product / category, I have to chmod /cache/fancy-data/ to 777.
With the .htaccess file, I can understand... but with this fancy-data... I really need to change this.
Do we have any solution?
:?: Why we don't have a !!warning!! in our install.html from MSU about this possible issue :?:

Best regards

e-electr
Posts: 6
Joined: Sun Mar 16, 2008 12:40 pm
Location: Madrid
Contact:

Re: [osCommerce] /cache/fancy-data/ and chmod 777

Postby e-electr » Wed Jul 23, 2008 3:42 pm

e-electr wrote:Every time I add a new product / category, I have to chmod /cache/fancy-data/ to 777.


No worry, We can not chmod 755 !!! The worst possible case, a visible warning that our fancy-data/ file is not writable.
We have to stick with a big hole in our web shops?

Please do something guys!
I will be able to pay, as long this issue is corrected. Please!

Best regards,

inveo
Inveo Support
Posts: 1285
Joined: Sat Feb 02, 2008 12:07 pm
Contact:

Re: [osCommerce] /cache/fancy-data/ and chmod 777

Postby inveo » Wed Jul 23, 2008 5:49 pm

This is not any issue or security risk. .htaccess file needs to be writable only during installation and /cache/fancy-data/ directory is writable only by PHP scripts which are able to access this directory. For other cases there is also .htaccess file in this directory. This may be security risk only if you place stupid PHP script with security hole on your web server which allows attacker to upload PHP script (it is security risk no matter whether MSU is used or not).
It can not be done better way from PHP development point of view, but if you really want to increase your security, there are some extensions such as http://www.suphp.org/ (slower) or http://www.fastcgi.com/ with http://httpd.apache.org/docs/2.0/suexec.html (faster) for PHP improving this behavior.