Directory created with insecure permissions PHP-A1006

Excessive permissions are granted when creating a directory. This issue is raised when permission greater than 0755 is given, or permissions argument is not specified when creating a directory using mkdir() function. By default, mkdir() function gives universal access(0777) to created folders.

The permission number can be a 3 or 4-digit numeric, where the first digit states permissions for the file owner, the second digit is for the file group, and the last digit states the permission all other users. Each write, read, and execute permissions have the following number value:

• r (read) = 4
• w (write) = 2
• x (execute) = 1
• no permissions = 0

So as an example, to give full permission to file owner and read permission to the group and all other users, use 0744 while creating a directory.

In general, all security rules follow the principle of least privilege, except when the directory being created needs to be accessed by anyone other than the user creating it. It is recommended to give limited set of permissions.

Bad practice

// Bad practice
mkdir('/path/to/dir', 0777);

// Recommended
mkdir('/path/to/dir', 0755);

References

• OWASP Top 10:2021 > A01 - Broken Access Control
• OWASP Top 10:2017 > A05 - Broken Access Control
• File System Permission - Numeric Notation
• CWE-276: Incorrect Default Permissions