KJ wrote: > OK, I don't think you've read my posts in much detail at all. I looks as > though you have skimmed over them and got a pre-determined idea of my > issue in your head. > > Not once have I mentioned anything about "customers" in my posts. I'm > not a web host. I'm not talking about people who have access to my web > server uploading malicious scripts; I know that if I give people that I > don't trust access to my server then they could f**k things up... > obviously. I'm not a script kiddie who wants to stop people using the > mail() function or something like that, I'm talking about a real life > vunerability. > > Let me try to paint another simple senario: > > 1. You have a shared hosting account with example.com hosted on it. > 2. You want a guestbook setup on it, and you've found one that you like. > 3. You install "phpMyFantasticGuestbook" onto your account. > 4. It's a well used application and thus you don't go through the source > to check for vunerabilities. > 5. Joe Hacker has studied the script coz he's a tart that wants to piss > people off and he has found a vunerability. > 6. Joe Hacker uses the vunerability to change your account passwd. He > then logs in as you and deletes all your files. He has access to your > mysql password which was in the congif file of phpMyFantasticGuestbook > and he deletes all your data, he then leaves a nice index.php in your > account to say that he's been by. > > This is what I'm talking about, I hope this is clear. The vunerability I > described in one of my previous posts. > > The "worry" that I'm expending comes from being hacked twice using this > method, I think the amount of worry expended is in line with the amount > of frustration that I have endured. Yes! I'm only telling you that you have incorrectly analyzed the source of your problem, not the scale and scope of the problem. This horse is probably dead, but: As long as your include files are in the web tree, your risk, regardless of remote include on/off, remains TOO HIGH. After the include files aren't in the web tree, the remote include is irrelevant in most cases of the well-used/well-tested applications. There are still other risks to them, however, but they are almost certainly smaller and less pervasive than this. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
