[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] [Raq4] Directory Listing Exploit found.

Subject: Re: [cobalt-users] [Raq4] Directory Listing Exploit found.
From: Nico Meijer <nico.meijer@xxxxxxxxx>
Date: Mon Mar 25 08:54:49 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hi Kai,

> Simple as that.

I hope for you it is.

> I'm in the process of developing my AUP and
> hosting contract etc.

Good call.

> The php info thing is fine. I mean, that simply displays what they can and
> can't do... but they can still do it.

I have phpinfo() disabled. I do not allow my clients or any other person to know what version of apache I'm running, whether I'm running *nix, or whatever. If clients need to know, I tell 'em. They're on a "need to know basis" only. Geez, I sound like the military. ;-P

> I really need PHP to follow the
> "Options -Indexes" expression. Otherwise my customers data publicly
> available.

Sorry, dunno of this can be done.

> Try it.

No thank you. ;-)

Seriously, I'll try it on a testbox.

> Hopefully now that i've posted it someone will come up with a way of
> protecting us.

For the time, you could disable readdir, opendir and closedir (or either one of those) if none of your clients use it legitimately. Then test it again. Your connection should hang.

Good luck... Nico

References:
- Re: [cobalt-users] [Raq4] Directory Listing Exploit found.
  - From: Nico Meijer
- RE: [cobalt-users] [Raq4] Directory Listing Exploit found.
  - From: Kai

Prev by Date: RE: [cobalt-users] [Raq4] Directory Listing Exploit found.
Next by Date: [cobalt-users] PHP with QDOM support
Previous by thread: Re: [cobalt-users] [Raq4] Directory Listing Exploit found.
Next by thread: Re: [cobalt-users] [Raq4] Directory Listing Exploit found.

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index