On Wednesday 27 June 2007 06:32, Edward Vermillion wrote: > Most /tmp directories are world rwx. So anyone that can log into the > server through a shell, or any account running on the server, has at > least read access to anything in the /tmp directory. They wouldn't > need to do it through a web script. On a production machine the only people who should be logging in would be doing system admin stuff and hence implicitly trusted. If you have determined hostile users logged in then whether you hide your files "in /tmp" or "in a directory only accessible by the webserver" is hardly relevant. Similarly the same "poc" can be used just as well on "/tmp" as well as on "a directory only accessible by the webserver". -- Crayon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
