Support

Hi Doug,

You can actually mitigate the risk by allowing only non .php files in that directory. Just add
cache/widgetkit
to "Allow direct access, except .php files, to these directories" textbox in .htaccess Maker and click on Save and Create .htaccess. This will allow only the static media files to be accessible from the cache directory, therefore not compromising your site's security.

It's always bad practice. The cache directory is supposed to be non-web-accessible. That's what a cache does. Moreover, it's one of the directories which are most likely to have wide open (0777) permissions, as components do need them to work. As a result, an attacker could put a malicious PHP file in there. In order to be effective, the attacker needs to run it, by accessing it over the web.

Normally, the .htaccess Maker makes it impossible for an attacker to access such files over the web. In fact, the default settings should only allow the index*.php files in Joomla!'s site root to be web accessible, not any other PHP file. If you allow running PHP files from the cache directory, you jeopardise the security of your system.

Allowing static media files only to be accessed (what I proposed) is much less risky. In fact, the attacker would have to already know the name of a cached CSS/JS file and replace it with something malicious, hoping that an administrator would then load a page making use of the (maliciously modified) file in order to perform an attack, e.g. steal a cookie. Now, that becomes a too elaborate hack and I doubt that this will ever be a common ground attack, like "planting" PHP files is nowadays.

Actually, tmp, cache, administrator/cache and logs folders are special. They are not web accessible and should at all times be writeable. Your extensions DEPEND on those folders being writable. If they are owned by your account's (FTP) user, your server is not using mod_itk/suPHP and you have not enabled Joomla!'s FTP mode (or enabled it but left the password blank for security reasons) then these directories will be unwritable and your extensions will malfunction. What I described is how 95% of sites running on shared hosts are configured.

Are 0777 permissions really that evil? I've already written all about it. Let me recap this very quickly. 777 is bad because it allows people from other hosting accounts on the same server to write to those directories. OK, so bloody what? I wrote a malicious PHP file to your site's tmp directory, let's say a C99 variant. Now, in order to pwn your site I need to RUN it. Over the web. If you're using Admin Tools Professional's .htaccess Maker OR if you have put the kind of .htaccess I mentioned above in those directories, the potential attacker CAN NOT run the hacking script, ergo can not pwn your site.

You should know me better than that, man. Before I give security advice I have done my homework. And I never suggest people do something that I'd never do on my own sites. In fact, I DO have some sites on shared hosts and I DO have set them up the way I described. The oldest of them was built on early 2006 and has not been hacked, despite other accounts on the same box having been compromised at least four times in the meantime (I know because I'm a friend of the guy owning the server).

What I want to say is that uttering aphorisms like "777 is evil, never use it" is of little use. In fact, if your files are owned by the Apache user and you have 0755/0644 permissions then you are as vulnerable as having 0777 permissions. What we ALWAYS have to do when dealing with security is think. Why is something bad? How can an attacker exploit it? How can we mitigate the risk? If you always do that, you can easily secure a site to make it tough (but: NOT impossible, don't ever think that's possible) to hack.

I missed the "correctly setup server" part :) Yes, that's true, if the server is correctly setup you don't need any of this

However, on a properly setup server, each site will have its own user, suPHP/mod_itk or php-fpm will be in use and the home directories will have 0700 permissions, so even with 0777 you would still be perfectly safe. Moreover, the last time I saw a properly setup server it was on a dedicated server. Shared and VPS hosting rarely goes into such great lengths. It takes time to set up something like this and time costs money. I know you get the idea ;)

You're welcome!