[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] PHP security problem with Cobalt structure of file system
- Subject: [cobalt-security] PHP security problem with Cobalt structure of file system
- From: "Fabian Lucchi" <hostmaster@xxxxxxxxxxxxx>
- Date: Mon, 11 Sep 2000 16:24:08 +0200
I've been reported the following problem :
A Cobalt where PHP3 is installed has big problems with sensitive
information. Let's take a domain, www.test.com, which has a MySQL Database
called "MyDB". If we have to access that database from a PHP script, the
username/password has to be stored in that script, somewhere. And if another
customer use some PHP code to read files on the system, he could issue a
command like :
readfile("/home/sites/www.test.com/web/index.php3")
and thus see the password used to manage & access the database. Not very
fair... The file will be shown as the user httpd can read all files on
/home/sites/*/web
What can we do against this ?
Fabian