Paul Rubin wrote: > Jeffrey Froman <[EMAIL PROTECTED]> writes: >> Consider a PHP-based CMS that allows users to upload files. Because the >> application runs as the webserver user, uploaded files, and the directory >> where they reside, must be accessible and writable by that user. It is the >> same user that any other hosting customer on that machine has access to. >> Thus, any user on the shared host could write a quick CGI script that >> accesses, adds, removes, or defaces your uploaded content. > > That sounds trivial to ameliorate (at least somewhat) by putting your > uploads in a directory whose name is known only to you (let's say it's > a random 20-letter string). The parent directory can be protected to > not allow reading the subdirectory names.
But you have to admit that's "security by obscurity". regards Steve -- Steve Holden +1 571 484 6266 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Skype: holdenweb http://del.icio.us/steve.holden --------------- Asciimercial ------------------ Get on the web: Blog, lens and tag the Internet Many services currently offer free registration ----------- Thank You for Reading ------------- -- http://mail.python.org/mailman/listinfo/python-list
