[pmwiki-users] Moving PmWiki session out of /tmp

Joachim Durchholz jo at durchholz.org
Mon Nov 28 02:39:21 CST 2005


Ben Wilson schrieb:
> Now to see if somehow the hacker finds access 
> to that directory. :-)

Disallow WWW access to that directory.
I don't know how to do that with IIS (I think it's something with the 
directory's properties), but it's easy in Apache: create a .htaccess 
file with

Order allow,deny
Allow from none
Deny from all

in it and place it in the session directory. Apache will then refuse to 
serve files from the directory.
(PHP accesses the files directly, so it isn't affected by .htaccess.)

I usually put session directories in the installation directory of 
whatever PHP package I install. Placing writable directories in the WWW 
root defies all filesystem standards, but it does have the advantage 
that it shares all the security of the PmWiki installation. We can also 
hope that PHP is written well enough to avoid filename clashes and file 
creation races (placing all temporaries in /tmp tends to make them 
vulnerable to third-party, less-well-written software).

Regards,
Jo




More information about the pmwiki-users mailing list