Welcome to Centmin Mod Community
Become a Member

Security File upload exploits?

Discussion in 'System Administration' started by joshuah, Apr 24, 2017.

  1. joshuah

    joshuah Member

    121
    14
    18
    Apr 3, 2017
    Ratings:
    +17
    Local Time:
    7:26 PM
    I would not be concerned about files being uploaded via FTP being compromised, but rather be concerned about compromised files being uploaded and executed via PHP upload, etc.
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,750
    10,204
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,814
    Local Time:
    7:26 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    That part would be on the web app author and end user keeping up to date the web app/script.
     
  3. joshuah

    joshuah Member

    121
    14
    18
    Apr 3, 2017
    Ratings:
    +17
    Local Time:
    7:26 PM
    Yes, true. But at the same time, as system admins you would ideally want to mitigate the risk by ensuring that all users are isolated from eachother.
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,750
    10,204
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,814
    Local Time:
    7:26 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yup, if you know how you can implement jailed/chroot users in Centmin Mod or any other LEMP/LAMP stack yourself too. I posted some examples form my adventures at https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/ for future implementations of chroot/jailed users for Centmin Mod LEMP environments. Just a long way off for now given the amount of beta testing activity and feedback for current 123.09beta01 features etc. Nothing in Centmin Mod isn't added without proper testing and feedback or thought :)
     
    Last edited: Apr 24, 2017
  5. Colin

    Colin Premium Member Premium Member

    147
    44
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +114
    Local Time:
    10:26 AM
    1.13.#
    MariaDB 10.1.#
    Probably, not an option and I've lost clients to this policy: refuse to have wordpress on server, any server.

    Servers are so cheap now, why not treat one node per install. You could share the MySQL on one bigger node.

    Static site generators are quite powerful now and it totally depends on your needs/client ability of course. There are many importers from wordpress to, so it 's not like you're starting over, well you are.

    I'm working through one now where a guy spends 400+ on wordpress a year, posts 2 articles a month, and it's down for most of the year as he's not got time to fix it. So it's going static, editing posts using a browser-based interface "cms" to the git repo, on push, git is building and deploying the static pages to a keycdn push zone.
     
  6. nfn

    nfn New Member

    29
    0
    1
    Jun 28, 2015
    Ratings:
    +8
    Local Time:
    10:26 AM
    You should never allow script execution in these directories.
    That's asking for troubles.
     
  7. elargento

    elargento Member

    348
    17
    18
    Jan 4, 2016
    Ratings:
    +43
    Local Time:
    6:26 AM
    10
    You could try Vesta control panel:
    Vesta Control Panel — Features
     
  8. eva2000

    eva2000 Administrator Staff Member

    44,750
    10,204
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,814
    Local Time:
    7:26 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  9. elargento

    elargento Member

    348
    17
    18
    Jan 4, 2016
    Ratings:
    +43
    Local Time:
    6:26 AM
    10
  10. joshuah

    joshuah Member

    121
    14
    18
    Apr 3, 2017
    Ratings:
    +17
    Local Time:
    7:26 PM
    Agreed!! :)