Hi all -

I am using php/MySQL on an ISP in which there are other users. Everyone has
SSH access and can therefore enter everyone else's directories and read any
world-readable files. I have a config.inc file which contains my MySQL
username and password. This file is located outside of my web directory (to
prevent web browsers from reading it). In addition, my ISP added the user
'www' to my group, enabling me to make config.inc group readable but not
user readable. Therefore, none of the other users can SSH into the system
and read my username and password.

This is great, but there is one more concern: if the user 'www' can read
this file, isn't it possible for any other user to write a php script,
executable by 'www', that instructs the web server to echo the contents of
this file? All they have to know is the directory and name of the file they
are looking for.

Anyone have suggestions on how to close this security hole?


PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to