[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] PHP Directory Listing Security Issue...

Subject: [cobalt-users] PHP Directory Listing Security Issue...
From: "Nicolae Popescu Jr." <nicolaep@xxxxxxxxxxxxxxxxxx>
Date: Mon Mar 25 12:04:52 2002
Organization: EnigmaBiz.Com
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I have PHP Version 4.1.2

I don't have anything in my php.ini with:
opendir() or explode().

When I executed the phpinfo.php I found these variables:

open_basedir	no value	no value 

PS. I don't give SSH access, and also try not to give
mySQL access.

I have phpMyADmin to handle my mySQL stuff, users, tables
and such.

--
EnigmaBiz.com
graphic/print/design


> "Kai" <go@xxxxxxxxxxxx> wrote:
> > Today I caught a user of mine exposing my client list to
> the world via
> > a
> PHP
> > script that uses the opendir() and explode() function. This
> is just as
> > bad as code red. I know they can't execute anything. But a
> directory
> > listing
> is
> > just as bad. They can list every directory. I looked at the webpage 
> > and brought up a list of my sites in /home/sites.
> 
> All of the symbolic links in /home/sites are world-readable. So anyone

> with shell access or any script written in a language which doesn't 
> limit access to certain directories (or alternately disallow access to

> certain
> directories) will be able to access those files.   This is normal.
> 
> > I know what you're thinking. "This has been addressed i the
> archives.
> > You
> > use: Options -Indexes in the access.conf file".
> > However... This DOES work for normal directory listing.
> However... PHP
> seems
> > to bypass this. It has it's own permissions or something.
> 
> -Indexes just makes it so Apache doesn't show the directory listing 
> via an HTTP request.  What you described wasn't an HTTP request.  It 
> was a PHP script using fopen(), executing a system command or 
> something similar.  So that Apache directive has no effect.
> 
> > So.. How do we make PHP abide by these rules too.. because
> this script
> > i have can show u anyting ;)
> 
> You have to tell it what the rules are.  On cobalt-security earlier 
> today, Jan Wildeboer addressed a nearly identical problem posted by 
> someone else. The solution is to use the open_basedir PHP directive.  
> See the following
> URLs:
> 
> http://www.php.net/manual/en/configuration.php#ini.open-basedir
> http://www.php.net/manual/en/security.apache.php
> 
> --
> Steve Werby
> President, Befriend Internet Services LLC http://www.befriend.com/
>

Follow-Ups:
- Re: [cobalt-users] PHP Directory Listing Security Issue...
  - From: Steve Werby

Prev by Date: RE: [cobalt-users] What's is wrong with my DNS? [previous post: domaintransfer -> ping: unknown host]
Next by Date: Re: [cobalt-users] What's is wrong with my DNS? [previous post: domaintransfer -> ping: unknown host]
Previous by thread: [cobalt-users] Active Monitor - severe problem - A disk partition is nearly full
Next by thread: Re: [cobalt-users] PHP Directory Listing Security Issue...

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index