Re: allow_url_fopen ini directive not enough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

OK, I don't think you've read my posts in much detail at all. I looks as though you have skimmed over them and got a pre-determined idea of my issue in your head.

Not once have I mentioned anything about "customers" in my posts. I'm not a web host. I'm not talking about people who have access to my web server uploading malicious scripts; I know that if I give people that I don't trust access to my server then they could f**k things up... obviously. I'm not a script kiddie who wants to stop people using the mail() function or something like that, I'm talking about a real life vunerability.

Let me try to paint another simple senario:

1. You have a shared hosting account with example.com hosted on it.
2. You want a guestbook setup on it, and you've found one that you like.
3. You install "phpMyFantasticGuestbook" onto your account.
4. It's a well used application and thus you don't go through the source to check for vunerabilities.
5. Joe Hacker has studied the script coz he's a tart that wants to piss people off and he has found a vunerability.
6. Joe Hacker uses the vunerability to change your account passwd. He then logs in as you and deletes all your files. He has access to your mysql password which was in the congif file of phpMyFantasticGuestbook and he deletes all your data, he then leaves a nice index.php in your account to say that he's been by.

This is what I'm talking about, I hope this is clear. The vunerability I described in one of my previous posts.

The "worry" that I'm expending comes from being hacked twice using this method, I think the amount of worry expended is in line with the amount of frustration that I have endured.

KJ


Richard Lynch wrote: 

Call me silly, but...

If you don't check the source code, and you think they might be using
include "http://";...

What's the difference between that and not checking all the zillion things
your customers might do that's about 100 X as stupid?

Seems to me you're expending a fair amount of 'worry' over something that,
given that you're not checking their source in the first place, is kind of
meaningless...

Not that I'm suggesting that you *SHOULD* be checking their source -- Only
that the risk you take as part and parcel of your business is untrusted
users putting code on your machine.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux