Hi,

This is probably a really basic answer that I should know but my mind has gone blank. I'm creating a little admin script for someone, it's in a folder that is password protected requiring authorization via htaccess.

I have one small script where they will upload images to a folder on the main site. As it's remote uploading via PHP I will need to CHMOD the recieving folder as 777. The folder would not be within the area requiring authorization but in the main web root.

My question is will those with bad intentions be able to exploit it just because it's set to 777 or will they not be able to because the upload script is in the htaccess password protected folder and thefore not accessible without the correct username and password?

Thanks in advance.

The bad people you'd have to worry about is anyone else with an account on that server, who could then write to that directory either directly by commands on the server or by their own script running on that server. If you're on a dedicated host, then it should not be an issue, assuming all other aspects of server security are good (login/ftp password security, etc.) that would apply in all situations.

So people without access wouldn't be able to exploit it with an external script even with the permissions set to 777?

Sorry if this is a 'noob' question, I should really know the answer with certainty but I want to double check and have it confirmed by someone else who knows.

No, they cannot directly access any directory via HTTP if that directory is not the web root directory or one of its sub-directories. They could only access it if a script they can access via HTTP does something to that directory (or has a security hole that allows them to inject something that would access it) or if they have some non-HTTP means of accessing the host (such as a login name/password or FTP access).

That's what I thought but thanks for confirming it as I had a nagging doubt in my mind about it. Much appreciated!