Re: [cobalt-users] HACK !! - PHP HTTP File Editor

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

"Steven Depuydt - www.BeNe.WS" wrote:

> I downloaded this little PHP script from the following location:
> http://www.gintonyx.de/php_html_editor.html
> 
> With this script it's possible that ANY user of your server with FTP-access
> (to copy the PHP-files to your server), can BRWOSE & READ the COMPLETE
> directory structure of your server with his browser !!

Old news. Programs that allow this sort of access have been out for some
time now.

> So it's possible to VIEW/READ EVERY FILE on the server. Even the files that
> are not owned by that user !!

php_html_editor obeys all system owners/rights/permissions.

> So it's possible to view the passwords & logins of the MySQL databases in
> PHP-files.

Yes, because they're not protected.

> That user can hack your database and who nows what else he can find on your
> server.

Yes, definitely a security issue.

> What can we do against this ?

Not allow php access, not allow ftp access, unplug the ethernet cable,
turn off the computer.

I'm not trying to make light of the issue, only pointing out that yes,
there are always tradeoffs.  PHP is a very powerful system, and can be
misused in the wrong hands.

php_html_editor and other programs allow you the same rights as a local
user.  Certainly you do lock your machine against misuse by local users,
right?

Be sure your terms of service disallow any attempts at "trespassing"
(I'll let someone else figure out the right word).

Jeff
-- 
Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA  92517 US
Internet & Unix/Linux/Sun/Cobalt Consulting +1 909 778-9980
Our jblists address used on lists is for list email only
To contact us offlist: "http://www.nobaloney.net/contactus.html";