Consortium News
Promotional Links
Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information


Test Description

Checks if the current upload_tmp_dir is a world readable or writable folder, and if it matches the common UNIX system temp directory.

Security Implications

upload_tmp_dir allows you to specify where uploaded files should be saved until the handling script moves them to a more permanent location. If this file is within the document root of the web site and/or accessible to system users other than PHP's user, it could be modified or overwritten while PHP is processing it. By default upload_tmp_dir is set to the system's standard temporary directory, which can typically be accessed by all system users.


Set upload_tmp_dir to a folder that is:

  • outside the document root of your web site
  • not readable or writable by any other system users

You can set upload_tmp_dir in the php.ini file:

; Set upload_tmp_dir to a safe location
upload_tmp_dir = /var/www/

The setting can also be applied in apache's httpd.conf file, or an .htaccess file:

# Set upload_tmp_dir to a safe location
php_value    upload_tmp_dir    /var/www/

More Information

« Test information index

Get PhpSecInfo