[imp] Fileupload variable in php.ini
Lord Apollyon
implist at paypc.com
Wed Aug 27 09:27:02 PDT 2003
> Quite possibly. It doesn't make things much safer, and is a pain in the
> butt for scripts that need to actually do anything.
Cheery Chuck as always, I see. :) Right... straight to business.
Well, security is a process, not an end-destination... One additional layer
of access controls and barriers, especially in an instance where the
limitations of the UNIX security model and the way Apache runs under it is
not unwise, I would think. Especially where said vulnerability would allow
someone to pick and choose files to be read and displayed at will including
such minor morsels like SQL DB passwords and the like. I'm sure people have
made it down to: <http://www.php.net/manual/en/ref.filesystem.php>
If everyone adopted the attitude "well, if it's not perfect and cannot keep
out ALL of the attackers, it's not worth using" we might as well just
dispense with passwords, firewalls, and all of those annoying security
semantics altogether. Geez.
It's not that hard to get IMP/Horde to run warninglessly in Safe Mode... the
only casualty I couldn't resolve was the spelling checker. With the tiniest
bit of effort, you could even avoid ALL warnings with a settings sense check
before attempting to do the naughty stuff. if (ini_get ('safe_mode')) {/*
don't do nasty-nasties */} else {/* do the nasties */}
Yes, I can hear Jan "clean patch against HEAD?" Schneider's fingers
twitching in anticipation.
Tilting against windmills and Cranky Chucks the world over,
=Apollyon=
More information about the imp
mailing list