Bugtraq mailing list archives
DW020203-PHP clarification
From: Dave Wilson <dw () dahomelands net>
Date: Wed, 6 Feb 2002 22:17:16 +0000
Hi, I have had many, many mails telling me this is not a problem when file_priv = 'n' for the connecting user. This is not true. file_priv seems to only affect server-based file operations, and thus does not interrupt the operation of LOAD DATA LOCAL (note the LOCAL). A patch to fix this problem was posted to php-dev, if you might be affected, a fix is available. Another fix might be to just use proper filesystem perms on your servers in the first place.. mycgiserver.com have a nice way of disallowing viewing of other's homedirs, each user recieves an md5 hash, which is used when creating their document_root, like so: /web/<hash>/root With /web being executeable only. This effectively disallows access to other's document roots without a key (the hash). </rant> -dw
Current thread:
- DW020203-PHP clarification Dave Wilson (Feb 06)