Re: [PHP] PHP shell commands

2008-01-14 Thread Richard Lynch
On Thu, January 10, 2008 9:15 pm, Lucas Prado Melo wrote: > Some php applications store database passwords into files which can be > read by the user www-data. > So, a malicious user which can write php scripts could read those > passwords. > What should I do to prevent users from viewing those pas

RE: [PHP] PHP shell commands

2008-01-12 Thread Andrés Robinet
EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Lucas Prado Melo > Sent: Saturday, January 12, 2008 8:50 AM > To: Andrés Robinet > Cc: php-general@lists.php.net > Subject: Re: [PHP] PHP shell commands > > On Jan 12, 2008 4:12 AM, Andrés Robinet <[EMAIL PROTECTED]>

Re: [PHP] PHP shell commands

2008-01-12 Thread Lucas Prado Melo
On Jan 12, 2008 4:12 AM, Andrés Robinet <[EMAIL PROTECTED]> wrote: > I guess what you are looking for is mod_suphp. STFW or ask the list, someone > will give you good hints for sure (sorry, have little time right now). > > Rob Thanks, I will take a look. -- PHP General Mailing List (http://www.php

RE: [PHP] PHP shell commands

2008-01-11 Thread Andrés Robinet
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Lucas Prado Melo > Sent: Friday, January 11, 2008 8:50 PM > To: Jim Lucas > Cc: php-general@lists.php.net > Subject: Re: [PHP] PHP shell commands > > On Jan 11, 2008

Re: [PHP] PHP shell commands

2008-01-11 Thread Lucas Prado Melo
On Jan 11, 2008 9:28 PM, Jim Lucas <[EMAIL PROTECTED]> wrote: > > What feature would you think about adding to it? > I think we should be able to set (editing httpd.conf in apache) which folders are visible to any php script (including shell commands written in it). So, we could use Directory tags

Re: [PHP] PHP shell commands

2008-01-11 Thread Jim Lucas
Lucas Prado Melo wrote: Where should I look for further help about mod_php? How do I beg to someone add a feature in mod_php? On Jan 11, 2008 8:00 PM, Nate Tallman <[EMAIL PROTECTED]> wrote: To fix this scenerio, chroot would require different apache processes running under different users.

Re: [PHP] PHP shell commands

2008-01-11 Thread Lucas Prado Melo
Where should I look for further help about mod_php? How do I beg to someone add a feature in mod_php? On Jan 11, 2008 8:00 PM, Nate Tallman <[EMAIL PROTECTED]> wrote: > To fix this scenerio, chroot would require different apache processes > running under different users. -- PHP General Mailing L

Re: [PHP] PHP shell commands

2008-01-11 Thread Nate Tallman
To fix this scenerio, chroot would require different apache processes running under different users. On Jan 11, 2008 3:46 PM, Lucas Prado Melo <[EMAIL PROTECTED]> wrote: > On Jan 11, 2008 2:16 PM, Daniel Brown <[EMAIL PROTECTED]> wrote: > > Make sure you change the permissions on the director

Re: [PHP] PHP shell commands

2008-01-11 Thread Lucas Prado Melo
On Jan 11, 2008 2:16 PM, Daniel Brown <[EMAIL PROTECTED]> wrote: > Make sure you change the permissions on the directory in which > uploads are saved to be non-readable by anyone (including yourself, in > case the scripts are suexec'd). > > For example, if the directory in which you save up

Re: [PHP] PHP shell commands

2008-01-11 Thread Bipin Upadhyay
Daniel Brown wrote: [SNIPPED] Just keep in mind that anything that can be accessed by any means is never going to be 100% secure. I like the the line :) --Bipin Upadhyay, http://projectbee.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.p

Re: [PHP] PHP shell commands

2008-01-11 Thread Daniel Brown
On Jan 11, 2008 6:58 AM, Lucas Prado Melo <[EMAIL PROTECTED]> wrote: > On Jan 11, 2008 9:33 AM, Bipin Upadhyay <[EMAIL PROTECTED]> wrote: > > Lucas Prado Melo wrote: > > > Hello, > > > Some php applications store database passwords into files which can be > > > read by the user www-data. > > Why no

Re: [PHP] PHP shell commands

2008-01-11 Thread Lucas Prado Melo
On Jan 11, 2008 9:33 AM, Bipin Upadhyay <[EMAIL PROTECTED]> wrote: > Lucas Prado Melo wrote: > > Hello, > > Some php applications store database passwords into files which can be > > read by the user www-data. > Why not keep them out of the web tree and inform the application > regarding the same.

Re: [PHP] PHP shell commands

2008-01-11 Thread Bipin Upadhyay
Lucas Prado Melo wrote: Hello, Some php applications store database passwords into files which can be read by the user www-data. Why not keep them out of the web tree and inform the application regarding the same. I am sure almost all good applications would provide a simple way for doing it.

Re: [PHP] PHP shell commands

2008-01-11 Thread Richard Heyes
Some php applications store database passwords into files which can be read by the user www-data. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? You could encode your file(s) using something like the Ze

Re: [PHP] PHP shell commands

2008-01-11 Thread Lucas Prado Melo
Suppose we were using apache webserver. I think obfuscation won't work since with some work a user could read the password. How to encrypt/decrypt the password? On Jan 11, 2008 3:37 AM, Chris <[EMAIL PROTECTED]> wrote: > Not too much really. > > The webserver needs to be able to read a config file

Re: [PHP] PHP shell commands

2008-01-10 Thread Chris
Lucas Prado Melo wrote: Hello, Some php applications store database passwords into files which can be read by the user www-data. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? Not too much really. The