Re: [mantisbt-dev] Fwd: [mantisbt 0007842]: File attachment permissions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 3/30/07, Victor Boctor <vb...@gm...> wrote:
> In my mind, if someone has access to the file system, then he/she can
> do the following:
>
> 1. Open the config_inc.php and get the database user name / password
> and extract the files from there.
>
> 2. Write up a PHP script and place it on the server which provides a
> link per attachment file and allows the client to download all
> attachments without any authentication.
>
> My point is that if someone has access to the file system, then we are
> already exposed even if we guard the attachments.

Yap, that was my point.

>
> Am I missing something?  I would agree with the configuration option
> approach for default file permission as a compromise.  But we still
> have the issue of what the default value should be.  I typically
> prefer the "secure by default" approach, so I would stick with the
> original value as the default value.

+1
When that is easily configurable, better stay on the safe side with defaults