[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] php security..

Subject: Re: [cobalt-security] php security..
From: "satan" <satan@xxxxxxxxxxxxxxxx>
Date: Wed, 25 Jul 2001 08:53:04 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

It is like telnet, chmod that allows reading and execute, hard to have
everything setup the good way and ensure that your users will know the
appropriate CHMOD, sometime it is only not possible !

You can do the same with a cgi-script !!

Best Regards..
Satan@xxxxxxxxxxxxxxx

----- Original Message -----
From: "Kai Schantz, Euroweb" <kai@xxxxxxxxxx>
To: "Cobalt-Security@List. Cobalt. Com" <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Friday, June 29, 2001 11:56 PM
Subject: [cobalt-security] php security..


> Hi, everybody
>
> I was surfing one of the better known resource sites on php script when I
> came over a script that said that It would make my browser window look
like
> explorer (file manager) and I could download everything besides root only
> files and se the hole servers structure and browse around like I was using
a
> file manger. All this with installing it in my web dir as normal user and
> permissions. And then open the browser an go to the url you innstalled it
as
> and open "page.php" AND THAT IT DID!!
> And everyone that has the URL to the php page can do the same, surf around
> on your server and download.
>
> The browser window you get when installing this php-script as a normal
user
> inside your web dir is like using av very fast ftp or filemanger. The User
> gets permission to brows all the server dir/maps except the root folder.
>
> Actually I liked it because I got a very good understanding where
everything
> was placed and could download everything others had on their sites. But
this
> I don't want my users to be able to do!!
> I see it as a security hole.
>
> Think of what your competitors can do..Download all your customers' files
> with their scripts and their complete web solution..and not nice for our
> customers to now that everybody can download your complete site even files
> that are not linked to, and their scripts.
>
> I made a webpage where i have posted some screen shots taken when i use
this
> php page.
> www.webdomene.com/phpsec
>
> If sombody wants the script with the purpose to find a solution on how
> preventing this and similar script to be used, I be happy to send it to
> them.
>
> Best regards..
>
> Kai Schantz
> Euroweb AS
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- [cobalt-security] php security..
  - From: Kai Schantz, Euroweb

Prev by Date: Re: [cobalt-security] Port 80 and Roadrunner
Next by Date: Re: [cobalt-security] Port 80 and Roadrunner - SMTP relaying shenanigans
Previous by thread: Re: [cobalt-security] php security..
Next by thread: RE: [cobalt-security] php security..

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index