Just been checking the CHMOD permission thing in that File.php, after my forum got hacked before. I see it's still setting files as 0777 chmod permission, that's going to mean me having to edit that file to 0644 again, then grab the new MD5 hash for it editing another core file so the forum still passes the "File Health Check". I was hoping this would have been sorted out proper, I don't like the idea of keep having to edit CORE files like this to prevent the forum from getting hacked. I also don't understand why Mike has left that as 0777 in this stable release, not after I posted a screen-shot showing him a discussion I had with NameCheap - who said 0777 chmod permission is NOT a correct one on cPanel server set-ups and can actually cause server errors. I have not updated my forum board yet, I'm thinking of maybe taking XenForo down now for good and putting the MyBB forum back in the ROOT. Not sure yet what to do about it all, but this whole CHMOD security thing puts me off now carrying on using XenForo. The reason my forum got hacked after to last update was because it changed permission on config.php and install-lock.php to 0777 (world writable). Those two files that got hacked are also not included in "File Health Checking". It was only through pure luck of seeing some errors generated in the admin panel leading me to check the config file did I spot the hacking code added. I don't get it with XenForo and permissions. MyBB doesn't change anything to 0777 and works pretty much the same way XenForo does uploading files to the server like attachments and avatars. Also, why is XenForo setting permission on index.html files that don't get written too and are used only as index files to prevent directory file browsing to 0755 permission? They should be 0644
Would you mind if I split this into its own thread, as it's quite interesting? Other than that, my installation is all set at 775, not 777 except for data, public and internal_data folders - which are for attachments, avatars and the like. Are all your directories set for 777?
Split it if you want. Like you say those two folders get made 0777 by default, but on my server they don't need to be that permission. They can be (and should be) 0755 instead because they will still get written to no problem and it's just the way my server is configured. Before I took down XenForo earlier and put MyBB back, there was no folders or files set to 0777 anymore, all folders was 0755 and atachements and avatars 0644. XenForo still wrote and uploaded things no problem, but I had to edit a core file and change 0777 to 0664 permission. There's a thread posted on XenForo we're I was talking to Mike all about it, and after talking to NameCheap about it also. They told me nothing should be 0777 on my server using cPanel, as it can cause internal server errors using that permission and I think that's why Mike mentioned changing it to 0755 instead after I posted that screen-shot of the chat I had with NameCheap saying that. But it's not been changed, it's still set to 0777 in the File.php XenForo by default was making those two folders (and also many files) 0777 permission, a real No, No security wise and why the config.php and intall-lock.php files got hacked after the last upgrade because it give them both 777 permission. Most forum software you install tells you never leave config.php as world writable, you would normally make it 644 after installation. Take IPB 3 software, one of the security checks is does is make config.php un-writable (safe). Each server is different, for me using 777 was totally out the question and simply wasn't needed either to write files to folders or even alter them. It's just too much of a risk using XenForo for me now, may suits others like you and the way your VPS is set-up. But getting hacked after using XenForo for 2 weeks - never getting hacked using MyBB for over 12 months because of the way both use CHMOD permissons speaks for itself. MyBB makes nothing 777 and does everything as it should be. 755 folders, 644 files. Not trying to put XenForo down or anything here, but I'm just not prepared to keep messing around with silly chmod permissions it wants to set like that on my server. And me having to keep editing core files to make it do things as it should to work like MyBB does. I shouldn't have to be doing it and also means I'm having to get the new MD5 hash after editing core files so XenForo passes File Health Checking on them. Too much hassle!
Food for thought, have a read: http://www.webhostingtalk.com/showthread.php?t=549546 You have to love the last line quote in this link below, good informative article too. http://www.dionysopoulos.me/blog/777-the-number-of-the-beast But more seriously, I think it's because I'm using shared hosting and they won't use: suPHP. During my chat with NameCheap I asked if they used it on my server and was told No. They only install it on VPS they said. So this is more a Shared Hosting problem really I guess?
MyBB doesn't change anything to 777 because it stores everything in the database probably. Basically here is why 777 is used; If you're going to store avatars/attachments in a directory and not the database then you have to be able to write that file to the disk in the file tree. On UNIX based operating systems this means you need a chmod of 777. The php script doesn't "own" the file/directory, and it can't elevate the permissions itself in most cases, so 777 is needed. As for the config file, its 777 so you can edit it from the installer/admincp. chmod of 777 is not the problem, you just use it only where you need it. If you've been hacked, there was a breach somewhere on your server. You don't go blaming random things like this. If you're on shared hosting, consider moving to another host. MyBB isn't going to "protect" you from begin hacked just because it stores everything in the database and makes you manually edit a config file. The guys at xenforo know what they're doing, they've been at it for 15 or more years now. I think they know when its safe to require a file be set to chmod 777. By the way, back in the UBB days before we had fancy mySQL databases on our shared hosting plans everything was stored as files and everything (threads, templates, avatars....everything) was chmod 777.
Uh, okay, what is your point? If you're using the database to store attachments/avatars you don't need permission to write to the file system via chmod, if you're using a directory it is set to allow writing via chmod. chmod 777 is not a security risk. Someone would have to have direct access to your server before they could write the file anyway. You know how they do this? Weak passwords, sniffing for you transferring passwords via plaintext, weak security on the server, outdated software on the server, un-patched bugs, any number of risks you must take into account long before you start thinking about some directory begin writable. I don't want to come off as mean, but the fact that you jumped ship to myBB over something like this, then turn around and claim you're now more secure because you aren't using chmod 777 in one or two places just shows you have little understanding of the underlying things at play here. I don't know who your host is, but I'm willing to bet you aren't on a server that is configured correctly, or you broke something, or your server is out of date and someone got in that way, or you had an out dated script laying around. If you were serious about finding out how this occurred you'd be doing a bottom to top audit on everything you have on your server, including what versions of php/mySQL/apache/whatever you're running, and sorting through your logs.
