Quote:
Originally Posted by Cyber Fucker
It's all about letting users to upload their image files to this directory but nothing else, only images. That's why I guess 777 is required but 777 is said to be unsafe... and this all confuses me.
|
Ah, ok yeah - I see the problem. Then making the apache user owner of this is not going to make the hole go away. The theory behind this hole is someone could upload something that avoids your "image only" protection script and then can simply call their file (ie malicious script) directly from a web page that will run as the apache user.
As grumpy suggested, protect that 777 directory with a .htaccess file:
Order deny,allow
Deny from all
then noone can access anything uploaded to that directory, yet your scripts can still process them
Or move the entire directory (no links, cos that defeats the purpose) outside the doc root.