DW020203-PHP clarification

From: Dave Wilson (dw@DAHOMELANDS.NET)
Date: 02/06/02


Date:         Wed, 6 Feb 2002 22:17:16 +0000
From: Dave Wilson <dw@DAHOMELANDS.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hi,
I have had many, many mails telling me this is not a problem when
file_priv = 'n' for the connecting user. This is not true. file_priv seems
to only affect server-based file operations, and thus does not interrupt
the operation of LOAD DATA LOCAL (note the LOCAL).

A patch to fix this problem was posted to php-dev, if you might be affected, a
fix is available. Another fix might be to just use proper filesystem perms on
your servers in the first place..

mycgiserver.com have a nice way of disallowing viewing of other's homedirs,
each user recieves an md5 hash, which is used when creating their
document_root, like so:

/web/<hash>/root

With /web being executeable only. This effectively disallows access to other's
document roots without a key (the hash).
</rant>

-dw

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo