httpd-wiki-changes mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "FileSystemSecurity" by ChrisPepper
Date Tue, 03 Aug 2010 01:11:37 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "FileSystemSecurity" page has been changed by ChrisPepper.
http://wiki.apache.org/httpd/FileSystemSecurity?action=diff&rev1=4&rev2=5

--------------------------------------------------

  
  Certain applications, especially publishing platforms and Content Management Systems that
you manage and populate through the web server itself using a browser, require that certain
directories on the system be made writable by the web server user.  You can do this by changing
the owner of the directory to that user (usually www but ymmv), or by making the directory
group-writable and changing the group to the group as which Apache runs. 
  
- Making directories writable by the web server should be done only with care and consideration.
 The usual threat model is that someone manages to upload (for instance) a PHP script of their
own making into the document root, and simply executes that by accessing it through a browser.
 Now someone is executing code on your machine.
+ Making directories writable by the web server should be done only with care and consideration.
 The typical attack model is: someone manages to upload (for instance) a PHP script of their
own making into the document root, and simply executes that by accessing it through a browser.
 Now your machine is executing their code under their control.
  
  If a web app needs writable directories, it's often better to have those outside the Document
Root ([[http://httpd.apache.org/docs/2.2/mod/core.html#documentroot]]): that way the uploads
can't be accessed from the outside through a direct URL.  Some applications (Wordpress ([[http://wordpress.org/]])
for instance) support this, others do not.  
  

Mime
View raw message