include() - security and others

Collapse
X
Collapse
 
  • Page of 2
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • Benoni
    New Member
    • Oct 2002
    • 29
    • 3.0.1
    #16
    Originally posted by Benoni
    I undetand you now!
    The only stupid thing about that, is that the directory you would have to enter is always specific to the server

    ie. /home/sites/benoni/www/public_html/

    what is there to say I will have benoni on another server?

    Which is easier: Changing the password in all files or changing the location of the password file in all files?

    I could use _SERVER["DOCUMENT_ROOT"] though.

      Comment

      • Chen
        Senior Member
        • Jun 2001
        • 8388
        #17
        Originally posted by xiphoid
        Chen,
        if you are a part of a hosting company where other users on the same virtual server have the right to even go out of their home directory, you should not consider changing to a new hosting provider, but you should immediatly cancel your account and go some place else.

        A user is a user, and not a user with rights to go snooping around the system.

        If they can, they at least shouldn't have the rights to enter other users directories and ls their files.

        Ofcourse they shouldn't have the rights to include the files.
        You're confusing FTP users with the user PHP runs as. I'm not going to explain the whole theory here, but if you want, contact me by email and I'll even give you an example script you could try on your server - you will be surprised.
        Chen Avinadav
        Better to remain silent and be thought a fool than to speak out and remove all doubt.

        גם אני מאוכזב מסיקור תחרות לתור מוטור של NRG הרשת ע"י מעריב

          Comment

          • Benoni
            New Member
            • Oct 2002
            • 29
            • 3.0.1
            #18
            Originally posted by Chen
            You're confusing FTP users with the user PHP runs as. I'm not going to explain the whole theory here, but if you want, contact me by email and I'll even give you an example script you could try on your server - you will be surprised.
            There are many cgi-scripts which mimic shells on Unix systems. This allows a process to mimic running programs on the server from a normal command line. I think there are PHP script to do that too.

              Comment

              • Chen
                Senior Member
                • Jun 2001
                • 8388
                #19
                It's possible to execute commands (exec(), backstick, there are more than enough ways) but I'm not sure about mimicking actual sessions... nevertheless it's dangerous.
                Chen Avinadav
                Better to remain silent and be thought a fool than to speak out and remove all doubt.

                גם אני מאוכזב מסיקור תחרות לתור מוטור של NRG הרשת ע"י מעריב

                  Comment

                  Previous 1 2 template Next
                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...