On 1/25/2014 6:12 AM, Joseph Hesse wrote: > For my understanding, please tell me what a bad guy would have to do to > exploit apache having read/write permission. A) exploit a bug in PHP or Apache, perhaps known but not yet patched, or totally unknown B) corrupt a database via a SQL Injection Exploit (see http://xkcd.com/327/ ), thence triggering a bug in your PHP code C) take advantage of poorly written php or whatever code that allows a page to be uploaded (such as a photo attachment feature on a blog's comment engine), then manage to invoke and execute that 'picture' which turns out to be evil php code, now running as apache on your system. D) ??? its amazing how resourceful starving 3rd world geeks are when money is put in front of them by mobsters. -- john r pierce 37N 122W somewhere on the middle of the left coast