Securing Image Upload directories (777)

It is considered risky to leave directories in your website with the access permission 777, which allows anybody to upload files to this folder. However many PHP projects such as Wordpress require these folder permissions in order to function correctly.

I find it helpful to create a .htaccess file to go inside the image upload directory. This file will do a couple of things:
1.) Only allow certain file types to be published by the server
2.) Disable PHP from rendering pages inside that directory
3.) Disable CGI from executing any scripts inside that directory

.htaccess file

# only allow certain file types

order deny,allow
deny from all

# stop PHP from rendering anthing
RemoveHandler .php
RemoveType .php
php_flag engine off
Options -ExecCGI

How can I easily find directories with 777 permissions?

Using the linux command line find function
# find
find httpdocs/ -type d -perm 777

# results
If your website becomes compromised it's probably worth scanning through your server for .php files which reside within directories with 777 permissions.
find httpdocs/ -type d -perm 777 -exec find {} -name "*.php" \;

comments powered by Disqus