Security question

2025-04-07

I have been looking at a PHP file uploader script that I really want to use but I am concerned that it poses a security risk. But I could be wrong so I wanted to get input from some of you.

System Facts: This is a well patched and secured RH7.3/Plesk 6.02 box with an IPtables firewall. I am the only one with shell access. I use SSH for shell access and administrative file transfer. I have telnet turned off.

Script Issue: In looking at the script I find that it requires several PHP scripts that are in a subdirectory of the document root (httpdocs/subdir) to have 777 permissions. It also requires that subdirctory to have a folder (httpdocs/subdir/folder) to have 777 permissions. The script needs this access to the folder so that it can create subdirectores named after the content of one of the consumer completed fields. I can put an .htaccess file in "folder" without the web user needing access to it.

But that still leaves the wide open PHP scripts world exposed. I could put an .htaccess on "subdir" but then site customers would have to be given the password, again opening a hole in security, at least to my understanding.

I have tested the script privately and it won't work with anything less than 777 permissions on those scripts.

The company that sells the script states that it isn't a risk because somebody would need FTP or shell access to put a dangerous script in the folder or rewrite the existing 777 scripts.

The script has tight security for people using the script to upload files through the front door. And just exactly the user functionallity that I want. But it goes against everything I have learned to leave anything with 777 permissions in world view. I feel like it would open a serious backdoor security hole.

I appreciate any insights or suggestions on this.