------------ Original Message ------------ > Date: Friday, October 03, 2014 19:51:59 -0400 > From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx> > To: php-general@xxxxxxxxxxxxx > Subject: Re: Re: hacked!! > > On 10/3/2014 5:11 PM, ellis@xxxxxxxxxxx wrote: >>> And how do I know what the web server can do? >> >> The web server *executes* PHP scripts. Most likely one or >> more of those scripts has a bug that was used to write >> files into your document tree. Your document tree should >> not be writable but most likely is. >> >> -- >> http://www.spinics.net/lists/ >> > None of my scripts do any file uploading (to the server). None. > > I still don't know how I can tell what permissions the web server > has. There is no requirement that your scripts (be programmed to) upload files. All it takes is for you to have a poorly written php script, e.g., perhaps something where you don't properly/fully sanitize values you pick up from the QUERY_STRING, for a hacker to be able to modify a file (assuming that the file permissions are set inappropriately). What are the ownerships and permissions on the directories and files under your web root? - Richard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
