--- Pablo Gosse <[EMAIL PROTECTED]> wrote: > http://shiflett.org/articles/security-corner-mar2004
[snip] > Hi, Chris. Thanks for that link. It was incredibly informative. I'm glad you thought so. :-) > I just took your code for the file browser and it was able to > read the information in all users' webroots and all other > directories and files readable by nobody:nobody, including > database passwords, .htaccess files (which contained paths to > password and group files), etc. Right, and this isn't unusual. What I should probably do is write one of these simple filesystem browsers in various shells, Perl, and any other type of interpreter commonly available on shared hosts. This might better illustrate that things like safe_mode are no solution. > I guess it is an inevitable fact that if you are on a shared > host, any script executed from the browser is capable of > reading any other script on the server which is set to be > readable by the web server. Yep, it sounds like you understand the problem quite well. What some people miss is the fact that the contents of a file have nothing to do with filesystem privileges and such. The fact that one file has PHP code in it is irrelevant. > I usually store all my files with sensitive information and > class files outside the webroot, but under this setup, anyone > could simply read the contents of the files in the webroot and > use the information in those files to then read the files which > are store outside of the webroot. This is still a very good practice, and I hope you continue to use it. > Unfortunately I don't have access to my server config file (a > 'find' command for httpd.conf returned no results), so is this > something a host would usually change for individual users? It should be, and you can always point them to my article if they don't understand why you want this. Is your host running Apache? > Also, safe_mode is not enabled on this host so I while I assume > that I could enable it using .htaccess for my site, that still > would not prevent anyone else from reading my scripts since their > scripts would not be running in safe mode, right? That's exactly right. Also, the bad guys might be Perl programmers. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
