[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] HACK !! - PHP HTTP File Editor

Subject: RE: [cobalt-users] HACK !! - PHP HTTP File Editor
From: "Steven Depuydt - www.BeNe.WS" <Steven@xxxxxxx>
Date: Tue Jan 21 05:57:08 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hello List

Can someone tell me what I have to do . I only want that my users can browse
the files on THERE domain. I looked in the security-section of PHP but I
still don't know what I have to do.

I have to change something in httpd.conf or in php.ini (open_basedir).

Can someone give me some DETAILED instructions for a RAQ3i.

PS: Users must be able to upload files from the /tmp directory.

Thanks,

Steven

-----Oorspronkelijk bericht-----
Van: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] Namens Jeff Lasman
Verzonden: zaterdag 18 januari 2003 20:08
Aan: cobalt-users@xxxxxxxxxxxxxxx
Onderwerp: Re: [cobalt-users] HACK !! - PHP HTTP File Editor

"Steven Depuydt - www.BeNe.WS" wrote:

> I downloaded this little PHP script from the following location:
> http://www.gintonyx.de/php_html_editor.html
> 
> With this script it's possible that ANY user of your server with
FTP-access
> (to copy the PHP-files to your server), can BRWOSE & READ the COMPLETE
> directory structure of your server with his browser !!

Old news. Programs that allow this sort of access have been out for some
time now.

> So it's possible to VIEW/READ EVERY FILE on the server. Even the files
that
> are not owned by that user !!

php_html_editor obeys all system owners/rights/permissions.

> So it's possible to view the passwords & logins of the MySQL databases in
> PHP-files.

Yes, because they're not protected.

> That user can hack your database and who nows what else he can find on
your
> server.

Yes, definitely a security issue.

> What can we do against this ?

Not allow php access, not allow ftp access, unplug the ethernet cable,
turn off the computer.

I'm not trying to make light of the issue, only pointing out that yes,
there are always tradeoffs.  PHP is a very powerful system, and can be
misused in the wrong hands.

php_html_editor and other programs allow you the same rights as a local
user.  Certainly you do lock your machine against misuse by local users,
right?

Be sure your terms of service disallow any attempts at "trespassing"
(I'll let someone else figure out the right word).

Jeff
-- 
Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA  92517 US
Internet & Unix/Linux/Sun/Cobalt Consulting +1 909 778-9980
Our jblists address used on lists is for list email only
To contact us offlist: "http://www.nobaloney.net/contactus.html";

_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003

References:
- Re: [cobalt-users] HACK !! - PHP HTTP File Editor
  - From: Jeff Lasman

Prev by Date: [cobalt-users] e-mail addresses
Next by Date: [cobalt-users] DNS settings of a raq 550
Previous by thread: Re: [cobalt-users] HACK !! - PHP HTTP File Editor
Next by thread: [cobalt-users] Re:- PHP HTTP File Editor

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index