charp

Don, Thanks on both accounts. No pun intended.

I just started a new account and was issued the standard ugly username and password. The password was easy to change via cpanel, but I don't know if it's even possible for me to change the username. Is it? Someone is probably going to tell me to submit a help ticket, but I thought I'd check here first just in case. Thanks! EDIT: Argggh. I misspelled account and can't change it. Sorry.

Thanks! It's good to know that I haven't lost my marbles. That feature, however, was very nice. Was it a TCH or CPanel thingy? Either way, I vote for the return of upload limits for FTP accounts. Does anyone know of another way to limit folder capacities? Could it be done with .htaccess?

Nearly a year ago, I know that I was able to limit the capacity of individual folders. I don't remember if the limit was on the folder itself or an upload limit on an individual FTP account. Today, I can't figure out how in the world I managed those limits. I'm certain it's in the CPanel, but where???? Can anyone help point me in the right direction? Thanks in advance.

Yankman30, I'm sure you'll find what you need at one of these two resources: ssi-developer.net or bluerobot.com HTH

Further experimentation resulted in exactly what you just said. Thank you for the quick and detailed explanation. I think I'll stick with your first best bet an simply chmod the upload directory to 0777 and leave it that way.

David, Thanks for the reply. Your answer explains quite a bit about the various problems I was having when developing this script. Yes, I can see that the files uploaded by my script are owned by 'nobody' and other files and directories I've uploaded via FTP are owned by my user ID. So now I'm wondering if I can use PHP to make the directory in the first place so that 'nobody' will be the owner. I made one quick attempt at this solution, but encountered another error message. Is this another security feature or should I be able to execute the following: >mkdir($upload_dir, 0777); Thanks again. As usual, the TCH forum has been an awesome resource.

Hi, I'm trying to write a PHP script to upload image files via an HTML form. So far it all works, but I have to CHMOD the destination directory to 777. It appears that 755 is a standard, more secure value for a directory, so I figured I'd CHMOD the directory to 777 before the upload and back o 755 afterwards. Here's the bit of code in question: >chmod($upload_dir, 0777); Unfortunately, I get this error message: (the above path was altered to protect the innocent) Can anyone spot what I'm doing wrong? Is this a server setting by TCH that prevents me from CHMODing directories via PHP? I have been successful when CHMODing files within a directory using the same script, so it seems like there must be a solution. Yet, it eludes me.

I made an earlier post in this forum regarding a cracked .htaccess password. Since then, I believe I have learned how the password was cracked. I'll briefly explain how (without sufficient detail to make it a *how to* post), but I'd like to know if there's anything TCH can do to plug up this potential security hole? Here's how it could have been done: since this student was given an FTP account on the site, he was allowed to upload files in a directory under the root folder. Apparently, the FTP account prevents him from navigating out of his assigned folder, but the files in the folder have rights to read pages located outside that directory -- in fact, even outside the public_html directory. With a little knowledge and guess work about the file structure of the site, he was able to use PHP to open and read any file on the site. Even though .htaccess files encrypt passwords and store them in a folder outside the public_html directory, he was able to view those files and later used a cracking program to discover the password. Using *strong* passwords makes such a task far more difficult (perhaps even impossible) for anyone to learn the password in this fashion. However, the security risk remains. In a non shared environment, this wouldn't be possible (I'm told). So I'm wondering if either TCH or I can do anything to restrict file access as described above? I was also told that, in some shared hosting environments, the same sort of vulnerability exists between web sites located on the same server. Any truth to this? Any help and/or suggestions will be appreciated. Thanks!

So, that would be an alternate way to discover the password without using a cracking tool such as John XX. But in this instance, it appears that the cracking tool was use and not a packet sniffer. That leaves me with the big question of how did this student gain access to the password files? Wouldn't he need access to my hosting account to also have access to the password files?

Thanks everyone for the advice. I will definitely go for a STRONG password. However, I'm not sure how to restrict access to the password file. I believe the .htaccess file is in the root directory and that the passwords are actually outside the root directory -- perhaps someone at TCH can clarify this point. These files are generated and placed by the CPANEL interface, so I'm not sure what I can do to secure these files.

Serpentine, Thanks for the reply. I checked on this program and it used to crack "weak" passwords on Unix systems. I wonder if "weak" simply means short passwords that don't make use of upper and lower case characters along with numerals and symbols. If making my password "strong" doesn't require some sort of special encoding or hashing, then big complicated password here we come. Could it be that simple? As you suggest, I would still like to hear from some serious security gurus.

I run a site hosted here by TCH for my school and I've just learned that one of my students has hacked the passwords for my .htaccess protected directories. Word is that he used a hacking program called "John XXX XXXXXX" [i won't spell out the entire name just to be safe] to get to my passwords. Can anyone say if this is indeed possible? If yes, what in the world can I do to securely protect access to these directories if any teenager with a freely downloadable hacker application can access my passwords? I really need some advice here and fast. Please help! Thanks in advance.

Thanks Bruce. I'll give it a go.

From other posts in this forum, I see that one account may have a second domain parked on top of the main domain name. I further understand that this parked domain can only point to the main public_html directory. My question is how many parked domains are allowed? Is there a limit? Thanks in advance.

Thanks for the speedy reply. I'll submit that ticket right away.

I placed a quota on a few of the FTP users for my site. Those with quotas show up at the bottom of list of FTP users along with a bar indicating how much of their quota has been used. The problem is that other users were also generated during this process. In three instances, the user was created twice. Then second one using only the last four letters of the account name. In two other instances, the new user has no name next to the bar. How can I delete these 5 extra users from the quota list? Thanks in advance.

My district does have it's own web server that hosts all but two of the school web sites -- the two high schools. The problems with the district server: no features such as PHP, mySQL, CGI-BIN, etc. It's straight HTML and what ever the browser will support. Hardly worth using -- and I don't. I'll try not to launch into my usual diatribe on this subject, but Madmanmcp is right about the price issue. For what is costs to buy and support a web server, schools would be better served to out source their web hosting needs. The 10 elementary schools in my District could host all of their sites with TCH's silver plan at $55 per year. Now go figure how many years at that price it would take to buy a basic web box, and then figure in the cost of the employee that must maintain it. Do school districts do this? In my experience, no. Instead, they host their own web servers and end up wasting valuable funds that could be better spent on personnel to fix the computers in classrooms that sit idle because there's a shortage of manpower. A dedicated server, in my opinion, would be an awesome solution. Less than $1,000 per year total costs = less than $70 per year per school for my district. But it only makes sense if the entire district buys in. At this point in time, our IS department is deeply invested in having all the web services in house. My going to an outside source for web hosting is just barely tolerated and only because our site uses PHP, mySQL and CGIs, which the district can't support. Moreover, our associated student body (ASB) pays for the hosting from their own funding source. We're such rebels. At any rate, thanks again for the warm welcomes and great suggestions. I feel I made the right decision in choosing TCH.

Thanks for the warm welcome! I just thought I might get a feel for what's possible. Guess I'll just go with the help desk ticket. Thanks also for the advice.

I just started an account with TCH for a class I teach in a public high school. The class is all about learning how to make web pages. For this class of 31 students, I created 31 FTP accounts, each pointing to a different sub-directory. The problem is that we seem to be restricted to 3 login from a single IP address. Since our school uses NAT, all 31 students appear to be FTPing from the same address. Is there any way for me to work around this restriction? Can TCH allow more login sessions to our account from our IP address? Any ideas at all? It's going to be real problem for my class if we have to take turns FTPing in groups of 3, so any and all ideas/suggestions/help will be appreciated. Thanks!