PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

captcha executable files

  1. tanksalot
    Member

    I have a security group scanning my site and they are reporting that in the GF directory there are executable files and that I should be concerned. When I look, I find .php and .png files created and/or used by the captcha. The png are the different captcha images. The php must be used for something important, but they are the ones the security scan does not like.

    OK, the first thing that popped into my head was, "If these are being created every time someone submits a form this is going to be one big directory." Do these ever get purged? How do we keep control of how big the directory gets? Lastly, are there any security issues with having them in there?

    Posted 10 years ago on Tuesday July 19, 2011 | Permalink
  2. Gravity Forms cleans up temporary files such as images generated by the Really Simple Captcha automatically. The reCAPTCHA field doesn't generate static images, it calls them from the reCAPTCHA service. I don't know what executables you are referring to, Gravity Forms is a PHP based application which is a scripting language and not an executable. It consists entirely of PHP, Javascript, CSS and Images.

    Posted 10 years ago on Tuesday July 19, 2011 | Permalink
  3. tanksalot
    Member

    Hi Carl,

    Perhaps they are being overly-agressive about this. I'm getting a report that a blank index.php is an executable too. Thoughts?

    You mention that GF cleans up temporary files. Are they supposed to temporary? I've got about 100 pair of images (png) and matching php in the wp-content/uploads/gravity_forms/captcha Might I have to adjust the directories permissions or turn on something to make this happen. We've only had a handful of submissions so far.

    Posted 10 years ago on Tuesday July 19, 2011 | Permalink
  4. A blank index.php is not an executable. It's used to prevent people from browsing directories if they are snooping around and your file permissions aren't set properly to prevent file browsing. It's a safety measure.

    100 images isn't unusual. They are small files and depending on your Captcha setup multiple images are used to display a single Captcha. Make sure the file permissions on that folder are set to something like CHMOD 755 or 777. You can manually delete the images in that directory if you are worried about it. Gravity Forms only cleans up as needed.

    Posted 10 years ago on Tuesday July 19, 2011 | Permalink
  5. @tanksalot, regarding filed being "executable" they might be referring to file permissions. Static files like JavaScript, CSS, php, images, etc (most anything in the WordPress folder EXCEPT directories) can be set to 644 permissions. If any of those files have 755 or 777 permissions, then they have the executable bit set, and maybe that's what they're running into and warning you of. It's not necessary to have PHP files or images marked executable (permissions of 7 for user, group or everyone.)

    There are a couple ways to fix it, but it depends on what sort of access you have to your host (command line, FTP, etc.)

    If you're on a Linux host and have command line access, you can do something like this inside your WordPress directory:

    find . -type f | while read f; do chmod -v -x "$f"; done

    That will find all files in the current directory and all subdirectories, then chmod those files to remove the executable bit. Good luck.

    Posted 10 years ago on Thursday July 21, 2011 | Permalink