hi ,
i just put my site live and was doing security review and it pointed out that my folder for boost cache
cache/normal being filled by folders from unknown sources ...
the permission for cache and normal folder is 0777...

i checked the urls in the folders and files and they turn out to be the urls of ip address which was previously assigned before it was assigned to me ..

1) is it safe to let it be the way it is now ?
2) what is the best and safe permission for cache/normal folder
3)can i have cache/normal folder out side the www ?

thanks in advance
madhu

CommentFileSizeAuthor
#2 Screenshot from 2014-04-22 22:24:47.png42.72 KBmadhudvs
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Anonymous’s picture

  1. what kind of things as that could be a security issue (email me through the contact form if it's serious)
  2. no you can't store outside the webroot as the .htaccess file needs it unless you modify the settings manually (and even then there's no guarantee
  3. safest permissions is 0700 owned by the PHP/ web server user on the folder but then you may find that your server does not server pages, 0755 is okay though
  4. if these unknown items are being created by the web server then pretty much chmodding the directory is going to result in nothing
  5. do a google search on the type of filenames being created, it's likely there's a bot about sending out random queries for vulnerabilities, you won't be able to do anything about it as it's probably got spoofed or distributed ip address so blocking them (you'd get them from the logs) wouldn't achieve anything but at least you could rest easy knowing that they are being served a quick html page from boost rather than a 500, 403, 404 etc... for a word press vulnerability from 5 years ago and using up too many of your resources. You could block on the URL but then you need to be careful that you are denying access through .htacccess and not serving a drupal denying PHP page which is then starting your whole database/ PHP resources.

Comprehensive enough answer ;)

madhudvs’s picture

first of all Big thanks for the response ..
cache/normal folder takes nothing less then 0777(have atatched a screenshot)

i deleted the cache folder and recreated --- but still got folders created
i googled and found that the folders name created were the names of the sites which previously used the ip i have now !!