> Hi, > > a friend of mine uses a certain directory to upload files to. This directory has write permissions for all, since his cgi script has to store the files in it. >
This is a common myth. The directory only has to have the permissions it needs, how much control you have over the directory and the box is going to determine that, as well as what other users need access to the same files. In general the directory will have to be writable "by the user the web server is running as". In many cases this will be an 'apache' user, an 'httpd' user, sometimes 'nobody', etc. but depends on the system, the installation, and configuration of the web server software. In the case that other users on the system need write access to the directory as well, a good approach would be to create a new group, add the web server as well as the other users to the group and then provide group writable permissions to the directory. Regardless you are leaving the web server open to writing to a directory, which really isn't as big a deal as people make it out to be. No server is secure, period. Having said that, you can limit your exposure, for instance make sure the directory where the files are stored is not script aliased so that anything uploaded can be executed, additionally move the directory out of the document root so that anything uploaded can't even be served directly. Make sure that the archaic 'PUT' and 'DELETE' methods aren't accepted by the web server. > He does not believe that this could be a security issue. Is there a simple method to delete something from this directory (or write something to it without using his script) to prove him wrong? > Try the 'PUT' or 'DELETE' request methods. It *is* a security issue, *but* is it the biggest one? Is it worth the effort versus the risk? Only he (and you) can decide... http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>