Home About Articles Contact Library Projects

Consortium News

Fri, 20 Oct 2006
PHP Security Consortium Launches New Project - PHPSecInfo

Wed, 16 Nov 2005
Daniel Convissor Elected as Principal

Promotional Links

Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

upload_tmp_dir

Test Description

Checks if the current upload_tmp_dir is a world readable or writable folder, and if it matches the common UNIX system temp directory.

Security Implications

upload_tmp_dir allows you to specify where uploaded files should be saved until the handling script moves them to a more permanent location. If this file is within the document root of the web site and/or accessible to system users other than PHP's user, it could be modified or overwritten while PHP is processing it. By default upload_tmp_dir is set to the system's standard temporary directory, which can typically be accessed by all system users.

Recommendations

Set upload_tmp_dir to a folder that is:

outside the document root of your web site
not readable or writable by any other system users

You can set upload_tmp_dir in the php.ini file:

; Set upload_tmp_dir to a safe location
upload_tmp_dir = /var/www/foo.bar/sessions

The setting can also be applied in apache's httpd.conf file, or an .htaccess file:

# Set upload_tmp_dir to a safe location
php_value    upload_tmp_dir    /var/www/foo.bar/sessions

More Information

PHP.net manual: upload_tmp_dir

« Test information index

Get PhpSecInfo

Download Now »

Version: 0.2.1 20070406
md5 hash

Documentation

Mailing List »

Screenshots:

PhpSecInfo screenshot

PhpSecInfo screenshot