On Jan 11, 2008 9:33 AM, Bipin Upadhyay <muxical.geek@gmail.com> wrote:
> Lucas Prado Melo wrote:
> > Hello,
> > Some php applications store database passwords into files which can be
> > read by the user www-data.
> Why not keep them out of the web tree and inform the application
> regarding the same. I am sure almost all good applications would provide
> a simple way for doing it.
> > So, a malicious user which can write php scripts could read those passwords.
> > What should I do to prevent users from viewing those passwords?
> I am not sure I understand this. Do you mean the attacker would upload
> scripts and execute them to read th config files? If yes then that's a
> different problem altogether.
Yes, I mean so.