Some Security Questions Answered
I got an email today with a few good security related questions so I decided to post the answers as other people may be interested:
Two questions:
1. If someone is hotlinking an image, is there a way to change the htacess to serve them a file that will embed links in their site?2. How important is not having 777 CHMOD for security?
To the first, question, it depends completely on how they are linking to you. If they are using an iframe to show the image, absolutely. If they are simply using an IMG SRC tag, you are pretty out of luck. I’ve experimented with all sorts of redirection techniques but have come up dry. The best I’ve come up with is making it redirect to a mailto: tag, which will launch the user’s mail client, which can embed text (HTML, I’m afraid is not really an option there). You can do the same thing with the skype: directive if they have Skype installed, or scp: directive if they have WinSCP installed (there’s actually a known exploit in WinSCP if you wanted to install malware). Another option is to have it link to an RFC1918 (non routeable) address space to perform a function. Something like http://192.168.0.1/firewallsettings/makemeinsecure (this would only work if they were already logged in, the IP address was correct, and they had the correct type of router/firewall for whatever function we are talking about). Note that you can probably figure out the firewall/router that they are using since they are connecting to your machine and you’ll have their IP address by which to do recon. I don’t recommend doing any of this stuff, because they’ll know it’s you and you’ll probably end up in jail, but it can be done in theory.
To the second question, 777 really isn’t that important if you are pretty sure there are no other vulnerabilities in your system and you don’t have multiple (untrusted) users on your system. If your system creates files of a name based on arbitrary user input, 777 could cause a problem because they can name it .php and because it is 777 instead of 666 it will actually run. That’s partly how Apache.org got hacked. If you have untrusted users on your system and you have 777 they can write, run or erase the file. If the file is owned by the www user and they have www user access, that’s sorta a moot point, but it could be a problem where they don’t have www user or CGI access and you otherwise wouldn’t want them to access/edit/erase those files. Really 660 should be used for read/write access on multi-user systems, or 770 for executables, if you wanted to be super anal about it. I’ve only seen one system that was hacked because of this, ever. So it’s not really that big of a deal.
