I'd be paranoid, too! :shifty:
I still have a few questions (hope you don't mind) ...
[*]How do I upload the file to a directory without 777 set on the directory?
You don't need 777, all you need is 644 or 766. You do NOT want the x77 as that would make the files executable.
[*]As far as I can tell, the only way the server is allowing me to upload is if the upload folder that I created with my uid via FTP is set to 777. This is the scenario I had when the phisherman came by.
Not so! Set the (uploaded images) directory to 766 and see what happens.
[*]My 'workaround', which I now think might be creating another security issue, was to create the folder with PHP using mkdir() in which case I can set the folder to 744 using PHP to issue a chmod().
Definitely! You're giving the uploader their own directory - but the 744 should be okay is you don't want to have anyone "read" the file (for display!)
[*]Is creating the upload folder with PHP's uid via mkdir() and using it in the way I described a security risk?
Using the mkdir() probably is but the 744/766 should ease that problem.
[*]Assuming the upload folder is set to 777 with my uid not PHP's uid, do I run chmod() on the uploaded file to make sure the uploaded file is set to 644 (not executable)?
Again, 766 is probably what you need and that should be what you get for all the files in that directory.
[LIST][*]It looks like the server is already setting uploaded files via FTP and via PHP uploads to 644 but it seems it would be prudent to make sure.
[*]I also noticed that PHP can't run a chmod on files that are in folders I created with my uid unless the folder is set to 777.
Really? Did you TRY 766?
[*]Is it helpful, from a security standpoint, to then put the .htaccess file in the upload directory
I'd put it as high as possible - meaning DocumentRoot or httpd.conf's VirtualHost section (see, I'm paranoid, too!).
[LIST][*]I mention this because without the limitation it looks like anyone could access any file in the directory e.g, if a php file got in there somehow it could then be accessed with the direct url.[*][/LIST]
deny from all
allow from all
[*]Is there a better way to write the .htaccess file listed above?[/LIST]
[INDENT]Yes! I think that the Files would prevent the FilesMatch from ever being allowed to display an image!
# .htaccess in upload directory (for images)
RewriteRule !\.(gif|jpe?g|png)$ - [F]
Fail to provide any file that is not a gif, jpg, jpeg or png.