security issue: permission set to 777 in many (sub)folders generated by the extension

Forums    Public Forums    JAEM Component    security issue: permission set to 777 in many (sub)folders generated by the extension
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • woluweb Friend
    January 15, 2014 at 12:34 pm #193771

    Hi,

    I was working on improving the security of something like 10 websites for which I take care of…
    and in all of them I have discovered there were plenty of folders generated by JA Extensions Manager with permission rights set to 777 (most of the time, I would have a mix : some folders 755 and others 777. Sometimes like a few hundreds on 777 !).

    Having discovered this, I try to manually set them to 755… but I can not keep doing that every time I use JA Extensions Manager for every single site.

    And I don’t have to tell you that this is a big security issue leaving folders on your website with 777 permission 🙂

    So so :

    – is it a question of configuration ?
    – if it is a “bug”
    – is there a fix coming ?
    – is there a temporary hack we can apply in the meantime ?

    Txs in advance folks !

    Marc

    Ninja Lead Moderator
    January 16, 2014 at 8:34 am #518665

    I have informed our development team about this problem and be confirmed
    that all folder permission is set to 755.

    For the best performance, please upgrade JA EM to the latest version ( 2.5.7).

    With old folder permission 777, set permission back to 755 manually. Below are files that need being changed:


    administrator/components/com_jaextmanager/lib/config_joomla.php
    administrator/components/com_jaextmanager/lib/jaupdater/core/bean/Products.php
    administrator/components/com_jaextmanager/lib/jaupdater/core/helper/MysqlHelper.php
    administrator/components/com_jaextmanager/lib/UpdaterClient.php

    woluweb Friend
    January 16, 2014 at 3:31 pm #518725

    Txs Ninja Lead,

    I think there is a little misunderstanding : of course (and fortunately !), the files of the component itself (you mention administrator/components/com_jaextmanager) are have the right permission.

    I was speaking here of the folders generated by the component, namely under

    /www/jaextmanager_data

    Can you re-ask the developers ? 🙂

    Txs,

    Marc

    Ninja Lead Moderator
    January 17, 2014 at 3:00 am #518783

    Hi Marc,

    Apologize for my misunderstanding. It is true that the local repository (jaextmanager_data) should be set with 755. Our development team has been notified on this to get it fixed. The update is expected to be available at the end of next week.

    1. JAEM

    1 user says Thank You to Ninja Lead for this useful post

    1. woluweb
    woluweb Friend
    January 17, 2014 at 9:13 am #518828

    yahoooo !

    thanks & congrat’s 🙂

    I understand the new version will at least no more create folders with 777 permissions.
    But will it also check whether some created folders of the past have already been assigned 777… and correct them automatically ? (or shall everyone have to check manually & correct manually ?)

    Anyway, I am very happy (for me but also for the community of Joomlart users) that this is solved because 777 can potentially lead to big security problems.

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)

This topic contains 5 replies, has 2 voices, and was last updated by  woluweb 10 years, 10 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum

Important Notice :

New Unified Portal is live

Must Read

Jump to forum

Categories