> How?  Manually each time a file is uploaded?  Or with PHP somehow?
>
> I appreciate your response, but perhaps I'm not clear enough.
>
> Isn't it quite common to have php creating/editing/deleting files on
> the server?  How is this done in a secure manner?
>
> Could you explain further?

Well technically unless your admin is using the latest PHP updates, the
server is already open to known exploits (albeit most are pretty difficult
to recreate).  Your admin is probably panicing as many others did when the
exploits were announced they were mentioned as problems in the file upload
routines....however most people don't realize that these exploits were
usable whether file uploading was used or not.

In answer to your question the file upload system is fairly secure but you
should never rely on it alone.  When it initially uploads the file, the file
is stored as a temporary name (so there's no way to execute code with a
screwy filename).  And although it shouldn't be an issue regardless, as long
as you remove any fancy characters from the true filename before you store
it in another area (anything not alphanumeric or a .) you should have no
problems whatsoever.

However as was mentioned before, assuming someone did manage to use the file
upload system ...the worst damage one could do to a system would be to
erase/modify files associated with the webserver username (or files with
open permissions)...so really worse case scenario if your admin has done his
job properly is one could manage to erase all the other php uploaded files
if they found an exploit.

Sincerely,

Craig Vincent



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to