Pablo,
I tested Chris's script on our systems, and couldn't browse anywhere other
than my own directories, so it is possible to set php up on shared hosts
that is a lot more secure than what your host has done.
May I ask what host this is ? Is it a major one ?
Tim.
At 02:09 PM 9/26/2004, Pablo G
Ahhh...ok, now you're talking about something else.
I thought we were just talking about the security model of PHP only. Yes,
if a host has decided to offer another means for CGI that isn't safe, then
that is another issue all together...;)
I was just talking about PHP's security model. Safe mod
[snip]
In short, what you've found is typical for most shared hosts
[/snip]
I've just been reviewing the way sites are housed on my host, and what
directories are readable by the web server and I'm curious to get
opinions on this.
When I use Chris' file browser script, there is a folder called
'v
--- Pablo Gosse <[EMAIL PROTECTED]> wrote:
> http://shiflett.org/articles/security-corner-mar2004
[snip]
> Hi, Chris. Thanks for that link. It was incredibly informative.
I'm glad you thought so. :-)
> I just took your code for the file browser and it was able to
> read the information in all u
[snip]
I just published a free article on my Web site about shared hosting:
http://shiflett.org/articles/security-corner-mar2004
In short, what you've found is typical for most shared hosts, and
safe_mode (a directive created to help mitigate this problem a bit) does
little to help. However, ther
On Monday 27 September 2004 02:26, Chris Shiflett wrote:
> If you do not offer CGI access or any interpreter besides PHP, then I
> suppose it's better than nothing, but I wouldn't characterize this as
> safe. I suspect that if I were a user on this host, I could give you a URL
> that displays anot
--- Tim Traver <[EMAIL PROTECTED]> wrote:
> I believe that is the reason that the PHP group came up with the
> open_basedir directive.
>
> The open_basedir prevents you from looking into anything higher
> than a particular directory tree using PHP.
>
> So, a combination of safe_mode and open_base
Tim Traver wrote:
Chris,
I believe that is the reason that the PHP group came up with the
open_basedir directive.
The open_basedir prevents you from looking into anything higher than a
particular directory tree using PHP.
So, a combination of safe_mode and open_basedir should prevent your
scri
Oh, and I forgot, you can also specify specific include directories to be
allowed for a particular user...
Tim.
At 09:47 PM 9/25/2004, Chris Shiflett wrote:
--- Tim Traver <[EMAIL PROTECTED]> wrote:
> I can guarantee that is not the way it is supposed to be. We
> make sure that can't happen by ru
Chris,
I believe that is the reason that the PHP group came up with the
open_basedir directive.
The open_basedir prevents you from looking into anything higher than a
particular directory tree using PHP.
So, a combination of safe_mode and open_basedir should prevent your script
from being able
Pablo Gosse wrote:
Hi folks. I recently set up hosting for my site and have noticed
something which is making me nervous.
If you are really nervous you cannot use shared hosting. Simple as that.
Even if other users don't access your stuff, the root user can. While
it's against the system admin
--- Tim Traver <[EMAIL PROTECTED]> wrote:
> I can guarantee that is not the way it is supposed to be. We
> make sure that can't happen by running in Safe mode, using the
> open_basedir directive, and making sure the directory tree has
> the correct permissions so the situation you described cannot
--- Pablo Gosse <[EMAIL PROTECTED]> wrote:
> Hi folks. I recently set up hosting for my site and have noticed
> something which is making me nervous.
>
> I can't seem to include files outside of my webroot, so I wrote
> a script to test permissions using passthru to output the results
> of a bunch
Pablo,
As a shared hosting company myself (http://www.simplenet.com/), I can
guarantee that is not the way it is supposed to be. We make sure that can't
happen by running in Safe mode, using the open_basedir directive, and
making sure the directory tree has the correct permissions so the situati
14 matches
Mail list logo
