[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] PHP security problem with Cobalt structure of file system

Subject: [cobalt-security] PHP security problem with Cobalt structure of file system
From: "Fabian Lucchi" <hostmaster@xxxxxxxxxxxxx>
Date: Mon, 11 Sep 2000 16:24:08 +0200

I've been reported the following problem :

A Cobalt where PHP3 is installed has big problems with sensitive
information. Let's take a domain, www.test.com, which has a MySQL Database
called "MyDB". If we have to access that database from a PHP script, the
username/password has to be stored in that script, somewhere. And if another
customer use some PHP code to read files on the system, he could issue a
command like :

readfile("/home/sites/www.test.com/web/index.php3")

and thus see the password used to manage & access the database. Not very
fair... The file will be shown as the user httpd can read all files on
/home/sites/*/web

What can we do against this ?

Fabian

Follow-Ups:
- RE: [cobalt-security] PHP security problem with Cobalt structure of file system
  - From: Chris Weiss

References:
- [cobalt-security] Re: Root has 10 different passwords on Qube2
  - From: Rod Todd

Prev by Date: [cobalt-security] Re: Root has 10 different passwords on Qube2
Next by Date: RE: [cobalt-security] PHP security problem with Cobalt structure of file system
Previous by thread: [cobalt-security] Re: Root has 10 different passwords on Qube2
Next by thread: RE: [cobalt-security] PHP security problem with Cobalt structure of file system

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index