Compromised Flag

This code has indeed been added after your request. I have just checked on our own sites, and can see that the ‘tmp’ directory is empty in all of them. On creation, the ‘tmp’ directory is added with 0755 flags.

Possibly your host is also blocking the removal. They can tell you more about it.

Spoke with host after your response. They advise they are not blocking your plugin but there is a security plugin that blocks code execution in the uploads folder. In addition, the folder was not created with permissions “755” but with “777” which was stated in the report.

Once again I have accessed the server to delete this folder.

• This reply was modified 1 year, 7 months ago by jahrat.

Hi @jahrat,

Currently, the plugin explicitly sets file permissions to 0755 for added (sub)folders in /uploads/. It’s tested on different WordPress configurations, and hosting providers with success.

With the information we have about your configuration, there’s currently nothing more we can do.

For debugging purposes; in my installations, the media folder will get 0775, another plugin folder will get 0755 – and it’s recursive for files and other folder. it seems that’s it is either explicit or a server default, the latter being 0755.

If I remove the explicit 0755 flags in Complianz, it stills defaults to 0755 on our test servers. We need some help from your hosting provider to explain what’s happening,

regards Aert

OK. I currently use DreamHost on a Shared Hosting plan. If you need additional details from me relating to my plan or site I will be happy to provide to a separate email address. I would love to have this resolved.

Thanks.

Hi @jahrat,

As the code addressing this behavior is included in current versions plugin, and as we can’t replicate the behavior whereby the ‘tmp’ folder is being created with 777 permissions when using the current version of the plugin; we don’t have any further leads at the moment.

If we know how to reproduce the behavior on a ‘default’ WordPress environment with Complianz activated, we would be happy to take another look at this.

Kind regards, Jarno

This is not resolved. I have passed all your comments to DreamHost support to investigate and I am waiting for their response. The error still exists on my sites.

Hello @rogierlankhorst

Please see response below from the hosting company.

These look to be different files on each site, though something looks to be setting them back after each run. Whatever the plugin is attempting to do, apparently sets it to the 777 permission. Most likely it’s supposed to clean up after itself and failing, perhaps? While our service would change it to 755 to ensure it’s not 777 globally, the plugin or what ever is interacting with these files looks to be rolling it back.

As to what information they would need from us, all I can see is that these files haven’t been manually changed by root/users on the server and the timestamp doesn’t correlate to any connections I can see from our history. We don’t have any other daemons that interact with files beyond the DreamShield service which is changing it from 777 to 755.

If you can get us some more information on exactly what they need from us we’ll be happy to help.

• This reply was modified 1 year, 7 months ago by jahrat.