[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] All folders visable on whole server
- Subject: Re: [cobalt-users] All folders visable on whole server
- From: "Michael D. Schleif" <mds-resource@xxxxxxxxxxxx>
- Date: Fri Dec 8 14:52:36 2000
- Organization: mds resource
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
WebWorkshop wrote:
>
> There shouldn't be a big hoopla is over this particular script ("...the most
> dangerous CGI script I have ever seen!!!")--anyone with a passing knowledge
> of Perl or PHP can browse anything on your server. Here's a little PHP
> script which I threw together in about two minutes that will print out the
> contents of your /etc folder, then print out your passwd file for good
> measure. Run this from any virtual host that has PHP enabled:
>
> <?php
> $my_dir=opendir("/etc");
> while ($file=readdir($my_dir)) {
> print "$file<br>";
> }
> closedir($my_dir);
> print "<p><b>Here's your passwd file:</b><br>";
> include ("/etc/passwd");
> ?>
>
> Besides disabling server-side scripting languages for all accounts on the
> server, does anyone know a setting in Apache that will prevent a script like
> this from being run (or better yet, allowing it to run but limiting the
> access to the script owner's web directory)? Using a script like this you
> can browse any directory (even if it's password protected with .htaccess)
> and view any file on the server.
Actually, you *cannot* view, write nor execute a file owned by root and
mode 0700 . . .
--
Best Regards,
mds
mds resource
888.250.3987
"Dare to fix things before they break . . . "
"Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . . "