[Wylug-discuss] 777 access on an images directory
Phil Driscoll
phil at dialsolutions.co.uk
Fri Oct 12 17:23:25 BST 2007
On Friday 12 Oct 2007, Mike Goodman wrote:
> Phil Driscoll wrote:
> > The 777/execution bit was not the issue I was warning you about. The
> > problem is that the application allows upload of files into a directory
> > which is served up by the web server.
>
> But isn't that then the case for any directory containing files served
> up by the web server? Sorry to be thick, but isn't it the permissions
> which control who can upload files?
Yes the permissions control which users can write files to a directory, but
under normal circumstances, there would be no mechanism in place for external
users to upload files to a web directory. However in this instance, the php
script provides an upload form to allow files to be uploaded and written to a
directory which is then served up by the web server. In a securely designed
application, the web server would never have permission to write files into a
directory that it made directly available by http.
Cheers
--
Phil Driscoll
More information about the Wylug-discuss
mailing list