charp

Don, Thanks on both accounts. No pun intended.

I just started a new account and was issued the standard ugly username and password. The password was easy to change via cpanel, but I don't know if it's even possible for me to change the username. Is it? Someone is probably going to tell me to submit a help ticket, but I thought I'd check here first just in case. Thanks! EDIT: Argggh. I misspelled account and can't change it. Sorry.

Thanks! It's good to know that I haven't lost my marbles. That feature, however, was very nice. Was it a TCH or CPanel thingy? Either way, I vote for the return of upload limits for FTP accounts. Does anyone know of another way to limit folder capacities? Could it be done with .htaccess?

Nearly a year ago, I know that I was able to limit the capacity of individual folders. I don't remember if the limit was on the folder itself or an upload limit on an individual FTP account. Today, I can't figure out how in the world I managed those limits. I'm certain it's in the CPanel, but where???? Can anyone help point me in the right direction? Thanks in advance.

Yankman30, I'm sure you'll find what you need at one of these two resources: ssi-developer.net or bluerobot.com HTH

Further experimentation resulted in exactly what you just said. Thank you for the quick and detailed explanation. I think I'll stick with your first best bet an simply chmod the upload directory to 0777 and leave it that way.

David, Thanks for the reply. Your answer explains quite a bit about the various problems I was having when developing this script. Yes, I can see that the files uploaded by my script are owned by 'nobody' and other files and directories I've uploaded via FTP are owned by my user ID. So now I'm wondering if I can use PHP to make the directory in the first place so that 'nobody' will be the owner. I made one quick attempt at this solution, but encountered another error message. Is this another security feature or should I be able to execute the following: >mkdir($upload_dir, 0777); Thanks again. As usual, the TCH forum has been an awesome resource.

Hi, I'm trying to write a PHP script to upload image files via an HTML form. So far it all works, but I have to CHMOD the destination directory to 777. It appears that 755 is a standard, more secure value for a directory, so I figured I'd CHMOD the directory to 777 before the upload and back o 755 afterwards. Here's the bit of code in question: >chmod($upload_dir, 0777); Unfortunately, I get this error message: (the above path was altered to protect the innocent) Can anyone spot what I'm doing wrong? Is this a server setting by TCH that prevents me from CHMODing directories via PHP? I have been successful when CHMODing files within a directory using the same script, so it seems like there must be a solution. Yet, it eludes me.

I made an earlier post in this forum regarding a cracked .htaccess password. Since then, I believe I have learned how the password was cracked. I'll briefly explain how (without sufficient detail to make it a *how to* post), but I'd like to know if there's anything TCH can do to plug up this potential security hole? Here's how it could have been done: since this student was given an FTP account on the site, he was allowed to upload files in a directory under the root folder. Apparently, the FTP account prevents him from navigating out of his assigned folder, but the files in the folder have rights to read pages located outside that directory -- in fact, even outside the public_html directory. With a little knowledge and guess work about the file structure of the site, he was able to use PHP to open and read any file on the site. Even though .htaccess files encrypt passwords and store them in a folder outside the public_html directory, he was able to view those files and later used a cracking program to discover the password. Using *strong* passwords makes such a task far more difficult (perhaps even impossible) for anyone to learn the password in this fashion. However, the security risk remains. In a non shared environment, this wouldn't be possible (I'm told). So I'm wondering if either TCH or I can do anything to restrict file access as described above? I was also told that, in some shared hosting environments, the same sort of vulnerability exists between web sites located on the same server. Any truth to this? Any help and/or suggestions will be appreciated. Thanks!

So, that would be an alternate way to discover the password without using a cracking tool such as John XX. But in this instance, it appears that the cracking tool was use and not a packet sniffer. That leaves me with the big question of how did this student gain access to the password files? Wouldn't he need access to my hosting account to also have access to the password files?

Thanks everyone for the advice. I will definitely go for a STRONG password. However, I'm not sure how to restrict access to the password file. I believe the .htaccess file is in the root directory and that the passwords are actually outside the root directory -- perhaps someone at TCH can clarify this point. These files are generated and placed by the CPANEL interface, so I'm not sure what I can do to secure these files.

Serpentine, Thanks for the reply. I checked on this program and it used to crack "weak" passwords on Unix systems. I wonder if "weak" simply means short passwords that don't make use of upper and lower case characters along with numerals and symbols. If making my password "strong" doesn't require some sort of special encoding or hashing, then big complicated password here we come. Could it be that simple? As you suggest, I would still like to hear from some serious security gurus.

I run a site hosted here by TCH for my school and I've just learned that one of my students has hacked the passwords for my .htaccess protected directories. Word is that he used a hacking program called "John XXX XXXXXX" [i won't spell out the entire name just to be safe] to get to my passwords. Can anyone say if this is indeed possible? If yes, what in the world can I do to securely protect access to these directories if any teenager with a freely downloadable hacker application can access my passwords? I really need some advice here and fast. Please help! Thanks in advance.

Thanks Bruce. I'll give it a go.

From other posts in this forum, I see that one account may have a second domain parked on top of the main domain name. I further understand that this parked domain can only point to the main public_html directory. My question is how many parked domains are allowed? Is there a limit? Thanks in advance.