[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] HACK !! - PHP HTTP File Editor
- Subject: Re: [cobalt-users] HACK !! - PHP HTTP File Editor
- From: "Herby K" <mad1.z@xxxxxxx>
- Date: Tue Jan 21 05:56:39 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
From: "Jeff Lasman" <jblists@xxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Saturday, January 18, 2003 8:08 PM
Subject: Re: [cobalt-users] HACK !! - PHP HTTP File Editor
> "Steven Depuydt - www.BeNe.WS" wrote:
>
> > I downloaded this little PHP script from the following location:
> > http://www.gintonyx.de/php_html_editor.html
> >
> > With this script it's possible that ANY user of your server with
FTP-access
> > (to copy the PHP-files to your server), can BRWOSE & READ the COMPLETE
> > directory structure of your server with his browser !!
>
> Old news. Programs that allow this sort of access have been out for some
> time now.
>
> > So it's possible to VIEW/READ EVERY FILE on the server. Even the files
that
> > are not owned by that user !!
>
> php_html_editor obeys all system owners/rights/permissions.
>
> > So it's possible to view the passwords & logins of the MySQL databases
in
> > PHP-files.
>
> Yes, because they're not protected.
>
> > That user can hack your database and who nows what else he can find on
your
> > server.
>
> Yes, definitely a security issue.
>
> > What can we do against this ?
>
> Not allow php access, not allow ftp access, unplug the ethernet cable,
> turn off the computer.
>
> Jeff
or try the following
ssh to your machine
modify /etc/httpd/conf/access.conf
Search for:
# This should be changed to whatever you set DocumentRoot to.
<Directory /home/sites/>
blablabla
add the following line:
php_admin_value open_basedir /home/sites
</Directory>
then php is restricted in /home/sites and has no rights for / or /etc and so
on.
HTH
Herby