[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] [Raq4] Directory Listing Exploit found.

Subject: [cobalt-users] [Raq4] Directory Listing Exploit found.
From: "Kai" <go@xxxxxxxxxxxx>
Date: Sun Mar 24 17:00:00 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Today I caught a user of mine exposing my client list to the world via a PHP
script that uses the opendir() and explode() function. This is just as bad
as code red. I know they can't execute anything. But a directory listing is
just as bad. They can list every directory. I looked at the webpage and
brought up a list of my sites in /home/sites.


I know what you're thinking. "This has been addressed i the archives. You
use: Options -Indexes in the access.conf file".
However... This DOES work for normal directory listing. However... PHP seems
to bypass this. It has it's own permissions or something.
So.. How do we make PHP abide by these rules too.. because this script i
have can show u anyting ;)

Thanks in advance.

Kai.

Follow-Ups:
- Re: [cobalt-users] [Raq4] Directory Listing Exploit found.
  - From: GF
- Re: [cobalt-users] [Raq4] Directory Listing Exploit found.
  - From: Steve Werby

References:
- Re: [cobalt-users] Screen
  - From: Michael Gabriel

Prev by Date: Re: [cobalt-users] Installing HORDE/IMP, MCAL and PEAR on Raq4
Next by Date: Re: [cobalt-users] [Raq4] Directory Listing Exploit found.
Previous by thread: Re: [cobalt-users] Screen
Next by thread: Re: [cobalt-users] [Raq4] Directory Listing Exploit found.

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index