On 27/04/2011 21:30, JK4 wrote:
The only writeable directory is *<installdir>/temp*, which is 770 and root:www-data.
The attack you are mainly worried about is that if the /temp dir can be reached via some real URL, then the user contrives to make your application create some temp file called abc.php or abc.ssi or .pl or .lua or something else that your www-server will "execute" when the user visits that file directly
This is usually more of a problem for nginx than apache users (with apache you can toss a .htaccess into temp which disables PHP in that dir). With Nginx, many of the suggested configs cause any url of the form *.php to be passed to the php interpreter (note I said URL, not real file) - with a bit of lateral thinking you can often contrive ways to make the php interpreter execute some interesting file based on the input URL... (eg create some directory called abc.php and observe what certain php configs will do when asked to exec it...)
Basically the rule is never to allow a direct path through to any asset which has been created from some untrusted source, ie any upload/temp file should never be directly accessible via a url (at least until you have sanitised it in some appropriate way). Simplest way to achieve this is to move any upload dirs out of the htdocs path...
List info: http://lists.roundcube.net/users/ BT/9b404e9e