[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Major security issue - PHP

Subject: RE: [cobalt-users] Major security issue - PHP
From: "Chris Mason" <chris@xxxxxx>
Date: Thu May 3 03:35:25 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

PHP will run as the apache user, so in order for apache to access files, PHP
can also. I think you have to run PHP as a cgi and in safe mode.

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Gerald Waugh
Sent: Thursday, May 03, 2001 9:04 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] Major security issue - PHP


> > It should not be able to have write access to site2
files (or
> > delete them). It may read and execute them though. Do
ls -l
> > /home/sites/site2/web and see for yourself:
> Okay, I did this:
> ls -l /home/sites/site2/web/index.shtml
> and it came back with this:
> -rw-rw-r--   1 admin    site2        6117 Mar 28 16:08
/home/sites/site2/web/index.shtml
> But yes, it just allowed site3 to make changes to site2
with no error messages, permissions problems or requests for
passwords right from their PHP script.

Do both of the sites have owner "admin"?
If so, then the owner can use both sites as he likes.
Gerald


_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- Re: [cobalt-users] Major security issue - PHP
  - From: Gerald Waugh

Prev by Date: AW: [cobalt-users] Nameserver RaQ4
Next by Date: Re: [cobalt-users] Deception Toolkit
Previous by thread: Re: [cobalt-users] Major security issue - PHP
Next by thread: RE: [cobalt-users] Major security issue - PHP

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index