Monday, October 19, 2009

Using File Permissions To Combat iFrame Injections

After posting my article on "Measures to Prevent and Detect iFrame Injection Attacks", I started to notice that many other people on the internet were linking to my article. They obviously felt that it was indeed an important weapon against combatting iframe injections.

As my article grew in popularity, I started to notice that iframe injection attacks against my website started to increase. I guess I was making some people very unhappy. As my website is constantly being monitored, I was able to react and remove these iframe injections almost immediately.

It soon occured to me that perhaps the file permissions on my web pages needed to be beefed up, made more restrictive.

As per my post on "Website Protection and Security Using File and Directory CHMOD", most website file permissions are:

Files: 644
Folders: 755 (with index page in it)
Images: 644
CGI scripts: 755
Php scripts: 644

Since iframe injections attack your index.* webpages, the CHMOD 644 may not be enough to protect them. CHMOD 644 gives you, the user, all read, write and execute permissions and everybody else only read and execute permissions. You would think that this should be enough to prevent an iframe injection. Unfortunately, it is not.

In my article on "Website Protection Against iFrame Injections", hackers may be attacking your website via a virus that they may have downloaded to your computer without you realizing it. Even though you change passwords, and remove the iframes, you may still be vulnerable to iframe injections. This virus could be sneaky enough such that the website logs will show that FTP traffic originated from a valid source, with valid FTP credentials. The result will be the same as a user logging into the website and thus will be able to write (modify) to the web page, adding the iframe injection. What we need to do then is to prevent writing to the web page. We need to change the web page file permission or CHMOD value.

The CHMOD capability depends on two conditions:

1) The server you are connected to must support the CHMOD command.
2) You must have access rights to change the attributes of that remote file or directory.

Make sure these two conditions are fulfilled.

It is also important to remember that you can set any non-script file to anything you like. You do not however want to set a directory or script to anything but CHMOD 755 if you want it to be able to run (for obvious security reasons). Only the owner of a file or root may change the permissions on a file no matter what its current permissions maybe.

Since the iframe injection attacks are against the index.* web pages, we need to prevent modifications of these web pages. Now suppose you have just finished modifying your index.html and you did not want anybody to update or to delete it. Then, give the web page file permission CHMOD 444 and it will have this effect. This gives everybody, including the owner (user), only read capability. If the owner turns off the write permission, the file is protected from accidental destruction. This is a pretty secure way to store HTML files when they are not being currently edited.

If you set file permission CHMOD 444 via FTP, then you may find that your host does not allow CHMOD 444 to be set via FTP - and even though you think you've changed to 444, it reverts back to 644. You may have to set CHMOD 444 via your host CPanel in a browser. Make sure you check this out. If you entered your site via FTP, edit your index.html file by adding a small change and then removing it. When you try to save the file, you should not be allowed to over-write it.

Once you have changed file persmission to CHMOD 444 on your web page, ensure that it still functions and runs properly. Whenever you need to edit your index.html page, simply change back to CHMOD 644, do your changes, and then change again to CHMOD 444.

Having to change file permissions everytime you need to edit a web page might feel a bit tedious. Preventing iframe injections to your website which could classify you as a risk site by Google, and hence, stop all traffic to your website, is well worth the extra few minutes needed to edit a web page via the CHMOD command.

1 comment: