Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "FileSystemSecurity" page has been changed by thumbs. http://wiki.apache.org/httpd/FileSystemSecurity?action=diff&rev1=1&rev2=2 -------------------------------------------------- Making directories writable by the web server should be done only with care and consideration. The usual threat model is that someone manages to upload (for instance) a PHP script of their own making into the document root, and simply executes that by accessing it through a browser. Now someone is executing code on your machine. - If a web app needs writable directories, it's often better to have those outside the DocumentRoot: that way the uploads can't be accessed from the outside through a direct URL. Some applications (Wordpress for instance) support this, others do not. + If a web app needs writable directories, it's often better to have those outside the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#documentroot";>DocumentRoot</a>: that way the uploads can't be accessed from the outside through a direct URL. Some applications (Wordpress for instance) support this, others do not. In many cases, writable directories are not strictly necessary even though the web app might like them: rather than upload plugins (which contain code that gets executed or interpreted, yech!) through the web browser, upload them through ssh and manually unpack them on the server. The CMS Joomla! likes to write its configuration file to the Document Root on initial install (which promptly becomes a popular attack target) but if it can't write to the Document Root, it will output the config to the browser to the user can manually upload it.
