There’s a series of website attacks going on right now that take advantage of a number of vulnerabilities. I just read on the Prevx Security Blog (one of my daily stops) about an often overlooked, yet easily exploited security vulnerability that sadly exists on many websites.
777. Yes, wide open permissions! World-wide read, write, and execute permissions.
What makes this even worse is that many in the Internet Marketing arena ENCOURAGE people to set permissions to 777 in order to get some script to work.
A few things here. First, fix your scripts, guys! No script should need world write permissions to operate. If your coder doesn’t know how to do it so that you don’t need such wide open permissions, get a new one. Next, many web hosting companies no longer allow 777 permissions on their web servers. I know that my favorite web hosting company doesn’t allow it; if you try to set permissions to 777, it’s like locking up your web site. Absolutely NOTHING happens until you change them.
755 is a much better idea.
And note the comment about “least privilege”. It’s a computer security foundational concept. It’s bedrock. You need to build your security on it.
What “least privilege” means is that you take away ALL rights for something to operate, then add back in only those that the application or user needs to operate. Don’t need web access? Don’t grant it? Need to update the books? Then grant access (but keep an audit trail — and REVIEW the thing, OK?). Web site script doesn’t need 777 permissions to operate? Then why did you grant it? And even worse, Web Developer, why did you write a script that requires it (or did you simply say to set the permissions to 777 in the documentation to save on support costs? SHAME ON YOU!).
Rant over. Now get busy and do something about it.
–Tom
If you found this post to be helpful, you can say "thanks" and support this website by clicking here.
You must log in to post a comment.