RE: [cobalt-users] [Raq4] Directory Listing Exploit found.

["Kai" <go@xxxxxxxxxxxx>]

I don't have an AUP as such... Conversely there is no contract so I may do
as I please. If they decided to take me to court i'd counter-sue for breach
of privacy. Simple as that. I'm in the process of developing my AUP and
hosting contract etc.

The php info thing is fine. I mean, that simply displays what they can and
can't do... but they can still do it. I really need PHP to follow the
"Options -Indexes" expression. Otherwise my customers data publicly
available.

The script i am refering to is located here:
http://www.pseudo-hosting.com/uploaded/dir.phps
Try it. Hopefully now that i've posted it someone will come up with a way of
protecting us.

Regards,

Kai

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Nico Meijer
Sent: Monday, 25 March 2002 10:50 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] [Raq4] Directory Listing Exploit found.


Hi,

> What I want is to NOT let this script run.

php.ini makes it easy to disallow execution of certain functions. For
example, you can block usage of phpinfo() to offer some protection. Maybe
that would offer some relief?

> It lists every directory on the
> RaQ and *ANYONE* can run it.

Only a customer can install it. Customers are easily kicked off of machines
if necessary. You do have an AUP?

Good luck... Nico

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users