[EMAIL PROTECTED] said: > > I recently had someone deface the website on my server and one of the > vulnerablities they used to upload a rootkit, was from a php website on > my server that allowed file uploads to /tmp. There were other unrelated > vulnerablities that allowed them to actually run the rootkit. > > Anyway as a result, to prevent users from hosting php code that allows > file uploads w/o my knowing, i disabled file uploads in my php.ini > files. You can guess my problem -- now no users can attach files to > their squirrelmail emails. Note that the squirrelmail code is pretty > secure because the attachment directory is not world-readable like /tmp > is. > > My question: Is there ANY way to selectively allow file uploads from a > select group of php files (e.g. squirrelmail) while restricting it for > all other php scripts? > > Or is there another creative solution to my problem?
Assuming you are using Apache: I know I probably shouldn't answer without an exact answer, but I think you can set up the php settings you are talking about in httpd.conf, sort of like this: <Directory /path/to/your/squirrelmail/domain.com/> php_value session.gc_maxlifetime 28800 php_value session.save_path /var/squirrelmail-sessiondata # other php config info? # </Directory> I am not sure if the php config lines that you need would work like this, which is why I am hesitant to say this. However, this may work and point you in the right direction. Someone more knowledgeable than me hopefully can answer you better! =Rob ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ -- squirrelmail-users mailing list List Address: [EMAIL PROTECTED] List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
