[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] php security..
- Subject: [cobalt-security] php security..
- From: "Kai Schantz, Euroweb" <kai@xxxxxxxxxx>
- Date: Sat, 30 Jun 2001 05:56:13 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi, everybody
I was surfing one of the better known resource sites on php script when I
came over a script that said that It would make my browser window look like
explorer (file manager) and I could download everything besides root only
files and se the hole servers structure and browse around like I was using a
file manger. All this with installing it in my web dir as normal user and
permissions. And then open the browser an go to the url you innstalled it as
and open "page.php" AND THAT IT DID!!
And everyone that has the URL to the php page can do the same, surf around
on your server and download.
The browser window you get when installing this php-script as a normal user
inside your web dir is like using av very fast ftp or filemanger. The User
gets permission to brows all the server dir/maps except the root folder.
Actually I liked it because I got a very good understanding where everything
was placed and could download everything others had on their sites. But this
I don?t want my users to be able to do!!
I see it as a security hole.
Think of what your competitors can do..Download all your customers? files
with their scripts and their complete web solution..and not nice for our
customers to now that everybody can download your complete site even files
that are not linked to, and their scripts.
I made a webpage where i have posted some screen shots taken when i use this
php page.
www.webdomene.com/phpsec
If sombody wants the script with the purpose to find a solution on how
preventing this and similar script to be used, I be happy to send it to
them.
Best regards..
Kai Schantz
Euroweb AS