Hi!
I was wondering about the feasibility of having PHP safer than I can
imagine right now.
This is the situation. Apache with webdav enabled for all users in
write mode. Let's say users have /home/username/www as their web sites.
In order to make it work, every www must have write permission set to
apache. This way people can upload their personal web sites via webdav.
Since PHP scripts run with the same username as apache, something like
this is possible:
<?
system('rm -rf /home/userThatIhate/www/*');
?>
Is anyone aware of a possible solution about this problem?
Thanks!
--
Sensei <se******@mac.com>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
6  1510 
"Sensei" <se******@mac.comwrote in message
news:44***********************@reader4.news.tin.it ...
| Hi!
|
| I was wondering about the feasibility of having PHP safer than I can
| imagine right now.
|
| This is the situation. Apache with webdav enabled for all users in
| write mode. Let's say users have /home/username/www as their web sites.
| In order to make it work, every www must have write permission set to
| apache. This way people can upload their personal web sites via webdav.
|
| Since PHP scripts run with the same username as apache, something like
| this is possible:
|
| <?
| system('rm -rf /home/userThatIhate/www/*');
| ?>
|
|
| Is anyone aware of a possible solution about this problem?
Make sure safe_mode is on... ?
Sensei <se******@mac.comwrote:
Since PHP scripts run with the same username as apache, something like
this is possible:
<?
system('rm -rf /home/userThatIhate/www/*');
?>
Is anyone aware of a possible solution about this problem?
Disable system() and similar functions. You will not have security in a
multi-untrusted-user environment when running PHP as an Apache module
unless you do this.
miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
On 2006-08-02 19:28:25 +0200, "Virginner" <th*******@virginLOSEIT.netsaid:
| <?
| system('rm -rf /home/userThatIhate/www/*');
| ?>
|
|
| Is anyone aware of a possible solution about this problem?
Make sure safe_mode is on... ?
Yes, I've tried that. Seems to work but I don't know if this affects
some user script. Maybe it's unsafe since some users may have files
belonging to other UID/GID.
--
Sensei <se******@mac.com>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
On 2006-08-02 19:58:34 +0200, Miguel Cruz <sp**@admin.u.nusaid:
><?
system('rm -rf /home/userThatIhate/www/*');
?>
Is anyone aware of a possible solution about this problem?
Disable system() and similar functions. You will not have security in a
multi-untrusted-user environment when running PHP as an Apache module
unless you do this.
Do you have any link that shows how to disable particular functions?
How's the granularity that I can apply --- and that you suggest?
--
Sensei <se******@mac.com>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
Sensei <se******@mac.comwrote:
Miguel Cruz <sp**@admin.u.nusaid:
>Disable system() and similar functions. You will not have security
in a multi-untrusted-user environment when running PHP as an Apache
module unless you do this.
Do you have any link that shows how to disable particular functions?
How's the granularity that I can apply --- and that you suggest?
http://my2.php.net/manual/en/feature...able-functions
You just put it in php.ini, and you can disable any functions you please.
For instance:
disable_functions = exec,passthru,proc_open,shell_exec,system
I wouldn't stake my career on it but I think that'll cover the ones that
allow PHP code to invoke arbitrary external programs.
miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
On 2006-08-03 19:48:45 +0200, Miguel Cruz <sp**@admin.u.nusaid:
>Do you have any link that shows how to disable particular functions?
How's the granularity that I can apply --- and that you suggest?
http://my2.php.net/manual/en/feature...able-functions
You just put it in php.ini, and you can disable any functions you please.
For instance:
disable_functions = exec,passthru,proc_open,shell_exec,system
I wouldn't stake my career on it but I think that'll cover the ones
that allow PHP code to invoke arbitrary external programs.
Thank you very much, that helped a lot!
--
Sensei <se******@mac.com>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer] This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Jody Winston |
last post by:
I'd like to present a view of an internal data store, which has Python
interface built using SWIG, so that my users can traverse and
manipulate the data store using familiar tools. My first...
|
by: rbt |
last post by:
Has anyone used pure python to upload files to a webdav server over SSL?
I have no control over the server. I can access it with all of the
various webdav GUIs such as Konqueror, Cadaver, etc. by...
|
by: Rade Josovic |
last post by:
Hi,
First implementation of WebDAV protocol is here:
WebDAV .NET 1.0 from Independentsoft. Go to http://www.independentsoft.de
The WebDAV .NET is WebDAV protocol API for Microsoft .NET...
|
by: Michael G. Schneider |
last post by:
I just started playing around with WebDAV. The basic configuration is done
and works. For example I am able to open a document via HTTP from within
Word and save it.
What I am really looking for...
|
by: SimpleSimple |
last post by:
My company has an IIS 5, ASP.net intranet site that contains documents
for employee use. The files are of various types (most often Office)
and are stored in blob fields in a SQL2000 database. ...
|
by: Steve Drake |
last post by:
All,
I am doing a WEBDAV request and I want to pass the users Credentials to the
webdav server, eg some code like :
Request.Credentials = CredentialCache.DefaultCredentials;
This does not...
|
by: arjen1984 |
last post by:
I am now working on C# with WebDAV on Exchange now to get appointments. When I work local on the domain where the server is, i can get the appointments no problem. When I work outside of it, i get an...
|
by: Wiebe Tijsma |
last post by:
Hi,
I'm using C# + webDAV to create a draft message to be sent in a user's
Drafts folder.
I can create the message successfully, however when I open the message
in outlook, it doesn't show...
|
by: DudDav |
last post by:
Hi All,
I have been trying to configured WebDAV on our current IIS server as an alternative to FTP and have had some mixed success but I've hit a brick wall with one problem.
The server...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
