[24158] in bugtraq
DW020203-PHP clarification
daemon@ATHENA.MIT.EDU (Dave Wilson)
Wed Feb 6 21:04:43 2002
Date: Wed, 6 Feb 2002 22:17:16 +0000
From: Dave Wilson <dw@dahomelands.net>
To: "SecurityFocus' BugTraq" <bugtraq@securityfocus.com>,
NTBugTraq Mailling List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Message-ID: <20020206221716.E25932@newjack>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi,
I have had many, many mails telling me this is not a problem when
file_priv = 'n' for the connecting user. This is not true. file_priv seems
to only affect server-based file operations, and thus does not interrupt
the operation of LOAD DATA LOCAL (note the LOCAL).
A patch to fix this problem was posted to php-dev, if you might be affected, a
fix is available. Another fix might be to just use proper filesystem perms on
your servers in the first place..
mycgiserver.com have a nice way of disallowing viewing of other's homedirs,
each user recieves an md5 hash, which is used when creating their
document_root, like so:
/web/<hash>/root
With /web being executeable only. This effectively disallows access to other's
document roots without a key (the hash).
</rant>
-dw
