Need help

[humarsoft]

My site requires that images get uploaded. In order to do this, I have to set the permissions to 777 for the upload directory.

This directory seems to be getting "hit" lately. This did not start until maybe a couple of months ago.

Does anyone have any ideas on how to prevent this?
Thanks,
Mark

[Spathiphyllum]

What do you mean by "hit", exactly. Do you mean you have a publicly accessible directory that requires very loose permissions and that now the directory is returning the images to all GETs that ask for them? And that there was a sudden and now continuous spike in requests for the images in that directory?

If you are serving files from that directory and it is in unprotected web space, you cannot stop requests. Or if you need to, you'll need to explain your situation a bit more on what kind of help you want, specifically. Depending on your specific situation, some suggestions will be better than others and some won't apply at all. Need more info.

[humarsoft]

Unauthorized uploads.

[jason]

I would password protect the script that lets users upload files. The easiest way to do this is with the Password Protected Directories feature of CPanel, but there are ways to do it on individual files if protecting the entire directory is not possible (because other scripts in it need to be public, etc.

Another thing: make sure you are checking any files that are uploaded to be sure they are what you expect. It is not unheard of for people to try uploading scripts (especially PHP scripts) to servers in the hope of exploiting them. Basically they figure out that www.somesite.com/imguploads is where uploaded files are stored and then they try to upload a file like spamtheworld.php. If they're successful they can go to http://www.somesite.com/imguploads/spamtheworld.php and essentially do whatever they want, and it looks like its you that's doing it.

--Jason

[Spathiphyllum]

humarsoft,

Besides Basic or Digest Authorization suggested by jason, you might also consider writing or searching for a script that runs as a cron job whereby anything that is not an image file or apache config file gets purged at regular intervals. That way you'll have a strict "policeman" on watch to purge the directory of any executable files. Should a rogue script get uploaded, at least its damage will be minimized and you won't have to scan the directory every few minutes out of paranoia.