Coding Forum

**tcuk** · 11-18-2002, 09:16 AM

What exactly are the risks involved in making HTML files world writeable ?

I have a CGI script which allows a user to edit an html file after they enter a password. For this purpose, the file must be CHMOD'ed to 666. The password only protects access to use the script and there is no .htaccess type password protection on the file or directory at all.

Can anyone tell me what security risks this poses ? Could someone make changes to the files or delete them ?

Thanks.

**conkermaniac** · 11-18-2002, 10:22 AM

Hi tcuk,

I do not know what specific risks this poses, but I certainly would not try to CHMOD any HTML file to 666. I am pretty sure that the results could be devastating. I would only recommend doing so if the file is a script, but in this case, my suggestion: don't do it.

**tcuk** · 11-18-2002, 10:31 AM

Thanks for your reply. I could do with a more detailed explanation from someone if possible.

**Mo Money** · 11-19-2002, 02:58 AM

oh ****, Ive been doing 666 and 777 all the time!?!?!?1 AAAAAAA why is this a danger??

**tcuk** · 11-19-2002, 09:12 AM

Its not a danger. Ive posted this question in a few other places and the answer is...

666 is fine. The only way you can gain write access to the file is if you have ftp / shell access (admin) to the server or you are using a script that runs from the server itself.

I'm using a script which is password protected.

Even though 666 allows write permissions to all - you still have to have direct access to the file on the server to make changes to it.

So 666 is ok.

It's worth mentioning that there is no point in making any files writeable unless a process / script requires it.

**wambui** · 11-21-2002, 04:58 PM

Just do not do it because with the way technology is going you may never know who hacks to it. So stay away from granting such a permission.

**tcuk** · 11-21-2002, 05:22 PM

I have added some code to my script which changes the permissions of the file after it is saved so its more secure now.

**wambui** · 11-21-2002, 05:27 PM

good for you.

**conkermaniac** · 11-22-2002, 09:52 AM

Hi,

Thanks for the info, tcuk, but I would still agree with wambui. You never know what determined hackers might do - especially if they have read this post and know that you have such permissions set.

**tcuk** · 11-22-2002, 11:30 AM

They would have to know what domains I'm using and tbh it would take a very very highly skilled hacker to do this.
My domains are not worth anything to a hacker of that calibre...

NASA on the other hand, is a different story.

**wambui** · 11-22-2002, 01:33 PM

I agree they have to know the domain but people find things all the time though. And you may never know when they hacked so to be very save do not grant such pemissions.