Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Security Issues for Magento
 
Aussie Shane
Jr. Member
 
Avatar
Total Posts:  8
Joined:  2007-08-31
Australia
 

Can anyone please update me with the security progress on setting of file attributes to 777. We have installed seven copies of Magento and they have all been hacked so we have had to remove them from service.
Our host advises we cannot leave files set to 777 as it leaves them open to abuse but Magento directs that we have to do this to install and get the updates etc.
It takes considerable time to change all required attributes so it is not viable to edit everytime an update is available. What or how is everyone else getting past this issue?

Cheers
Shane

 
Magento Community Magento Community
Magento Community
Magento Community
 
lisali
Enthusiast
 
Avatar
Total Posts:  889
Joined:  2008-04-28
London, UK
 

Hi Shane,

Sorry to hear about your problem - but that sounds very strange, I have to say. The ONLY files/directories that have to be CHMOD-ed to 777 are:

[dir] magento/app/etc
[dir] magento/media (and subfolders)
[dir] magento/var
[file] magento/var/.htaccess

Also make sure to use a custom admin path and password-protect the downloader directory using .htaccess.

Did you host tell you exactly how/where the security on Magento was compromised?

Good luck!

 
Magento Community Magento Community
Magento Community
Magento Community
 
Aussie Shane
Jr. Member
 
Avatar
Total Posts:  8
Joined:  2007-08-31
Australia
 

Hi Lisali,

Thanks for the update and advice.

You are correct of course and we have yesterday managed to access and update etc by SSH and this has addressed the issue as we can return all attributes to a secure setting in seconds after we ahve updated the files. This obviously applied to new installations as well so we are well on the road to getting sites up and running.

Your input is appreciated.

Cheers

Shane

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

[dir] magento/app/etc

That is probably one folder above all else where you probably want the chmod to not be 777 when it’s not needed to do so as that exposes the database information.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top