Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:3656
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <059101bffadb$28a33670$1400000a@fatcuban>
To: <internals@lists.php.net>
Date: Mon, 31 Jul 2000 11:35:46 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_056B_01BFFAE3.781AB680"
Subject: upload compromises
From: root@fatcuban.com ("skate")

------=_NextPart_000_056B_01BFFAE3.781AB680
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

i know i probably shouldn't be posting this in here, but i'm not sure =
where else to do so. so please forgive me if this is the wrong place.

basically in PHP 5 is there going to be a php.ini directive to control =
uploads? so for instance an ISP can restrict uploading of certain files, =
or only allow others. This would obviously help greatly in protecting =
against upload compromises, and also against any other kind of upload =
attacks (DoS). I'm also wondering if there's a way to get uploading =
executables turned off on a default install. it seems that there is a =
lot of new users, or just users wanting to get started quickly that over =
look the upload issues. I see it quite a lot in both the PHP lists, and =
the security focus lists.

PHP has recently gotten a bad name for itself with this type of =
compromise and it's an all too common problem that despite the warnings, =
still crops up regularly. making a change like this could help to not =
only improve security, but also the bad publicity that PHP has recieved =
over this.

anyway, my 2 cents, sorry again if this is in the wrong place...

-skate-

------=_NextPart_000_056B_01BFFAE3.781AB680--