Attachment security

[karim]

Script URL:
Version of script:
Hosting company:
URL of phpinfo.php:
URL of session_test.php:
What terms did you try when SEARCHING for a solution:

Write your message below:

Hello,
I like hesk very very much, but I'm concerned about security specifically in 2 issues :
1) Is it safe against sql injection ?
2) What security measures supported to ensure that attached file sent by visitors are harmless , in the right type as specified by the admin in the hesk control panel , Not exectable , not directly accessed ?
3) what is the safest possible file formats there is to allow it as attachment, my visitors many time woould like to send screen shot images so which image type is safest and would it be better if restrict it to only pdf

Having asked all that I must confirm that I know that Nothing is imune, I just want to make my best to protect my customer's tickets and my business

[Klemen]

1) A lot of effort has been put into making HESK secure, especially against XSS/SQL injection/CRF/session hijack etc. There are no known security issues with the current HESK version.

2) Attachments aren't scanned by HESK (antivirus software should do that), but due to the way attachments are handled (not executed but stored with random names and read by PHP rather directly output to the browser) all extensions should be safe to use.

3) I would recommend enabling only those you really expect to use and avoid allowing upload of any files executable on your server (ASP, PHP, CGI, SHTML, ...).

You don't have to be too restrictive though, you may easily allow any image type for example. Even if malicious code is located within the image, it will not be executed on the server.

As far as HESK is concerned no attachments will be executed or accessed directly by the browser, but like said they are not scanned so an antivirus on your PC/server is a must have.

[karim]

Thanks for your reply,
I tried to install the newest version nd found that it requires 777 permission set , as far as i know it is a major security issue , what is your opinion about that , nd how you make granting this permission safe , especially when 755 dosn't allow the uploading ...

[Klemen]

If server is setup smartly (PHP not running under user "nobody") then 777 is not required.

If PHP is setup in the way that PHP runs under another user than account owner (PHP doesn't have permission to write to folders/files), then they indeed need to be CHMOD-ed to 777.

Setting 777 is not a security hole by itself, but if an attacker finds a way to execute malicious code on the server as any user, he can modify files and folders that are world writable no matter where they are located.

[karim]

Thanks for your reply,
I didnt understand the part that you mensioned that 777 is not a security hole in its own , can you please explain further in simple terms when 777 is not a security hole and when it does especially when almost all articles in the internet mensions why we should always avoid 777 , to the extend that a writer mensioned that a folder with 777 makes it extreamly ewsy to hack the website, that left me with the impression that any one can put any thing in a folder with 777 ...

Finally what security measures does hesk takes so using 777 be safe in the attachments

I really appreciate your help on making my support area as secure as possible

[Klemen]

What 777 actually means on a Linux system and how ti could be exploited is out of the scope of this forum, but there should be plenty of articles online explaining that.

[Klemen]

But just to be clear - having a word-writable directory does not mean someone can hack your server because of that. It just means that if someone DOES hack your server (using a security hole), he can upload and edit any files inside a word-writable folder.

[karim]

Oki lets focus on the attachment folder of hesk , its permission is 777 what you do to prevent possible attacks knowing that only hesk is using this folder ... And are there any thing i should do for this folder ? Hope you answer these 2 questions .

[karim]

To be more clear
I am using hesk the last version, the permissions set for the attachment folder is 777.it is the only folder on my server with this permission nd only hesk write in it, i believe it is important for me to know 2 points :
1) how hesk handles a folder with such permission so it is not be a threat
2) Are there any things that i should do to further protect it .
3)If hesk is the only system using this folder then adding files to this folder must be done through the file uploading in the tickets or such permission could allow adding files to this directory through other ways
That's all !

[Klemen]

All HESK does is it uploads files to that folder and prevents direct access to them by encoding their name. Nothing more, nothing less.

Everything else you want to know about Linux folder permissions, Linux security etc you will need to search around, because it is out of the scope of my support. Sorry!