[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] PHP Directory Listing Security Issue...
- Subject: Re: [cobalt-users] PHP Directory Listing Security Issue...
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Tue Mar 26 09:49:11 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"Kai" <go@xxxxxxxxxxxx> wrote:
> This leaves PHP practically useless for file handling, and explode is an
> important function that i would rather not remove.
Maybe I misread what Nicolae was asking about. I was just explaining how to
block access to specific PHP functions from within php.ini. I never said
that it was a good idea to block opendir() and explode(). ;-)
> It doesn't matter. I just thought linux might support something like this.
If a file's world-readable any script owned by anyone can read it. And to
be accessible by Apache a file must be world-readable (not entirely true,
but for the sake of argument here let's assume it is). If you want to
tighten the security on PHP so users can't access files outside of their
site, there are mechanisms to do so. A few of us, me included, have pointed
readers in the right direction in threads on this list and cobalt-security
over the last day or so. There's no magic solution involving the Linux OS
and any solution you put in place will have no effect on scripts in other
languages like Python, Perl, C, etc. This topic is nothing new. It's
always been this way. Good luck.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/