Domain.com, Iis, Wordpress, And Image Uplaods

[cryo26]

I'm open to trying any crazy solutions you guys can come up with, so let me have em.

I know that Hak5 uses domain.com as their hosting, and they really enjoy domain.com. I do too. Mostly. Actually, for everything except this specfic issue. So I'm not here trying to flame domain.com, they're a great host, and I'm sure they have their reasons for why they keep telling me this isn't anything they support.

I come here looking for creative solutions that don't involve me switching my hosting to linux (I have .net web apps and for that I need a windows host).

My problem is that on my windows hosted website I have a wordpress installation that I plan to heavily modify, and as such can't use the one-click install that domain.com provides.

This wordpress installation has a particular problem with uploading images from within wordpress using their media manager. Specifically I receive an error indicating that the file was unable to be written to the wordpress's upload folder from the temp upload location.

Seems pretty straight forward, probably a permissions issue right? Well you aren't wrong. It is a permissions issue.

The issue is that the owner of the upload folder, differs from that of the user php is running under, so when php tries to write the uploaded image to the upload folder, the user doesn't have permissions to the folder.

Domain.com's web based admin panel, does not provide the ability to alter the owner of the upload folder. The only permission's it allows you to alter are the groupings of anonymous web user, application pool identity, and the ftp user.

The only permissions I can assign to these groups are the standard 'read', 'write', and 'execute'.

It was suggested by Domain.com's support people that I use FTP to upload the images, which is all fine and good, but that's a lot of extra work to upload the images via ftp, and then log into the wordpress install, go into the media manager, load the image into wordpress and then attach it to my post or use it in the post.

I know I can't be the only person to run into this issue, and I know that there has to be a better solution than what was suggested by their support team.

Does anyone have any ideas?

[digip]

have you tried just manual uploads to the wordpress "uploads" directory via FTP, then link from there? Some of my clients, are so security conscious, you can't even use the wordpress media uploader and the upload directory is locked, so I have to scp in, change permissions, upload, then change back, or in some cases, VPN in or you can't even reach the wordpress login page. Security is a PITA, but its also the way its supposed to work if you want to keep things secure. Either that, or write your own PHP uploader, that doesn't use a temp folder, and drops it where you want. Only problem with that, is then securing and sanitizing it, so no one else can 1, access it and 2, upload a reverse shell to take over your site.

[Infiltrator]

If the upload form doesn't let you upload your files, I would use the FTP instead. I know its a pain but since you can't use the upload folder due to the strict permissions, its the only way.

The other way would be to setup your own webserver at home, and security will have to be tight or else you will get all sort of attacks and people trying to get in.

[bobbyb1980]

Maybe you can host a vulnerable PHP or web app, then use MSF to exploit it to get a shell. Once you have the shell, you can change the owner of the folder so you can upload via http.

[digip]

Maybe you can host a vulnerable PHP or web app, then use MSF to exploit it to get a shell. Once you have the shell, you can change the owner of the folder so you can upload via http.

Yeah, not sure domain.com would be to happy about that...lol

[digip]

Maybe you can host a vulnerable PHP or web app, then use MSF to exploit it to get a shell. Once you have the shell, you can change the owner of the folder so you can upload via http.

Yeah, not sure domain.com would be to happy about that...lol

[bobbyb1980]

I wouldn't let domain.com's feelings interfere in a creative solution : ) Besides, the prolly won't notice. If they did, they'd just change it back. Beats FTP'ing and it's not anything malicious.

Edited July 4, 2012 by bobbyb1980

[cryo26]

Yeah I'm not sure I'm going to try to hack domain.com, but it sounds like everyone has come to the same conclusion I did, that FTP is the best solution for this.

Unfortunately that may just have to be the answer.

Thanks for the effort guys.