[snip] I just published a free article on my Web site about shared hosting:
http://shiflett.org/articles/security-corner-mar2004 In short, what you've found is typical for most shared hosts, and safe_mode (a directive created to help mitigate this problem a bit) does little to help. However, there are some things you can do as a developer, and I give some specific examples. [/snip] Hi, Chris. Thanks for that link. It was incredibly informative. I just took your code for the file browser and it was able to read the information in all users' webroots and all other directories and files readable by nobody:nobody, including database passwords, .htaccess files (which contained paths to password and group files), etc. There was no /etc/passwd file, but this is irrelevant as I was simply able to browse the /virtual directory to see a list of all users home directories, and from there their webroots, etc. I guess it is an inevitable fact that if you are on a shared host, any script executed from the browser is capable of reading any other script on the server which is set to be readable by the web server. I usually store all my files with sensitive information and class files outside the webroot, but under this setup, anyone could simply read the contents of the files in the webroot and use the information in those files to then read the files which are store outside of the webroot. Unfortunately I don't have access to my server config file (a 'find' command for httpd.conf returned no results), so is this something a host would usually change for individual users? Also, safe_mode is not enabled on this host so I while I assume that I could enable it using .htaccess for my site, that still would not prevent anyone else from reading my scripts since their scripts would not be running in safe mode, right? Thoughts? Cheers and TIA, Pablo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
