PHP

PHP

Made by DeepSource

Directory created with insecure permissions PHP-A1006

Security
Critical
a01 cwe-20 cwe-276 cwe-22 sans top 25 owasp top 10 cwe-99 cwe-641

Excessive permissions are granted when creating a directory. This issue is raised when permission greater than 0755 is given, or permissions argument is not specified when creating a directory using mkdir() function. By default, mkdir() function gives universal access(0777) to created folders.

The permission number can be a 3 or 4-digit numeric, where the first digit states permissions for the file owner, the second digit is for the file group, and the last digit states the permission all other users. Each write, read, and execute permissions have the following number value:

  • r (read) = 4
  • w (write) = 2
  • x (execute) = 1
  • no permissions = 0

So as an example, to give full permission to file owner and read permission to the group and all other users, use 0744 while creating a directory.

In general, all security rules follow the principle of least privilege, except when the directory being created needs to be accessed by anyone other than the user creating it. It is recommended to give limited set of permissions.

Bad practice

// Bad practice
mkdir('/path/to/dir', 0777);

// Recommended
mkdir('/path/to/dir', 0755);

References