By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,747 Members | 2,011 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,747 IT Pros & Developers. It's quick & easy.

Can anybody communicate with the operating system without the phpserver?

P: n/a
Fro
Hi,

I have a php-script which writes uploaded files into a directory. My
php-script gives a specific names to the saved files. I found in the
directory a file which has a name which could not be given by the php-
script. Could it be that somebody (which is not a user of the
operating system) communicate with the operating system (creates
files) without the usage of my php-script? Or it is impossible and I
have to search for a mistake in my script?

Thank you!
Feb 28 '08 #1
Share this Question
Share on Google+
15 Replies


P: n/a

"Fro" <sh************@gmail.comwrote in message
news:c0**********************************@u69g2000 hse.googlegroups.com...
Hi,

I have a php-script which writes uploaded files into a directory. My
php-script gives a specific names to the saved files. I found in the
directory a file which has a name which could not be given by the php-
script. Could it be that somebody (which is not a user of the
operating system) communicate with the operating system (creates
files) without the usage of my php-script? Or it is impossible and I
have to search for a mistake in my script?

Thank you!
Sure, they could hack your server, either just your personal account data or
else the entire server. But it's 100 or 1000 times more likely that they
breached security through a file upload, if you use a reputable third-party
host.

Feb 28 '08 #2

P: n/a
Fro
>
Sure, they could hack your server, either just your personal account data or
else the entire server.
You say that they can hack:
1. My server.
2. My personal account data.
3. The entire server.
What do you understand under "personal account data"? The operating
system?

To remove "ambiguity" I should say that I do not have "my personal
server". I use a hosting which gives a php-server which has many
users.
But it's 100 or 1000 times more likely that they
breached security through a file upload, if you use a reputable third-party
host.
It is 100 or 1000 times more likely than what?
Feb 28 '08 #3

P: n/a
Fro wrote:
>Sure, they could hack your server, either just your personal account data or
else the entire server.
You say that they can hack:
1. My server.
2. My personal account data.
3. The entire server.
What do you understand under "personal account data"? The operating
system?

To remove "ambiguity" I should say that I do not have "my personal
server". I use a hosting which gives a php-server which has many
users.
>But it's 100 or 1000 times more likely that they
breached security through a file upload, if you use a reputable third-party
host.
It is 100 or 1000 times more likely than what?
I agree with Mason - it's much more likely your upload script has holes
in it than someone hacked your server.

Since you're using a shared host, it's remotely possible that they came
in through another site on the same host. But that's unlikely, unless
your hosting company has no idea what they're doing and other sites on
the host are either hacker sites or don't know what they're doing. But
any reputable host will prevent that from happening.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Feb 29 '08 #4

P: n/a
Fro
Why do you continue to believe that "there is a 99% chance the problem
is in my code"? I put some argumentation against this believe. Why do
you just ignore it? Is their a mistake in my reasoning? If yes, just
show me it.

Because that's a fact.
:) I can prove my fact and you cannot prove your fact (which seems to
be a matter of believe). My prove is that php-script writs to the
directory as "nobody" (no matter whose script is that, mine or not).
Since I made the directory writable for "nobody", any script can write
to my directory (even if it is not mine). So, what is your
argumentation?
Mar 4 '08 #5

P: n/a
Fro
I guess so.
>
I think he needs to find a new line of work. Web development certainly
is not for him!
I have proved that you are wrong! Could you find a mistake in my
prove? Gould you give me at least ONE counterargument (I ask for that
already the third time!!!). Or the only think you can do is to offend
an opponent and refer to your irrational belief?
Mar 4 '08 #6

P: n/a
Fro
So, Jerry, do you have something to answer on that?

I have already told that "on my site" (on our server) there
are many scripts which does not belong to me (because we have many
users). I do not say that script is executed on the client machine.
The is executed on the server (where my scripts are also executed).
but the script is not written by me and it does not belong to me.
Mar 4 '08 #7

P: n/a
Fro
>
If your host has any security at all, other websites will not be able to
write into your directory. Only the files YOU upload will be able to
write there.
Did you read carefully my previous post before you start to offend
me??? In my previous post I gave you and answer from the host-support
in which they prove that they have this problem!!! Why did you ignore
this post? Or you thing I misinterpreted the answer from the host-
support??? If it is the case can you show me where I misunderstood the
answer?
Mar 4 '08 #8

P: n/a
Fro wrote:
>If your host has any security at all, other websites will not be able to
write into your directory. Only the files YOU upload will be able to
write there.
Did you read carefully my previous post before you start to offend
me??? In my previous post I gave you and answer from the host-support
in which they prove that they have this problem!!! Why did you ignore
this post? Or you thing I misinterpreted the answer from the host-
support??? If it is the case can you show me where I misunderstood the
answer?
No, your host's answer does not say that at all.

Do everyone a favor. Find another line of work.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Mar 4 '08 #9

P: n/a
Fro
>
No, your host's answer does not say that at all.

Do everyone a favor. Find another line of work.
You continue to discuss in your stupid way: no arguments, no logical
reasoning, just postulates and attempts to offend your opponents. What
is your IQ?
Mar 4 '08 #10

P: n/a
Fro wrote:
>No, your host's answer does not say that at all.

Do everyone a favor. Find another line of work.
You continue to discuss in your stupid way: no arguments, no logical
reasoning, just postulates and attempts to offend your opponents. What
is your IQ?
A hell of a lot higher than yours. I also have a hell of a lot more
programming experience than you do - and a hell of a lot more experience
with security issues than you do.

You asked your question. You got your answer. I can't help it if you're
too stupid to understand you are the most probably culprit here!

I'm through with you.

<plonk>

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Mar 4 '08 #11

P: n/a
Fro
I just put in the google "Jerry Stuckle php" and click on the first
link :)
http://www.thescripts.com/forum/thread757088.html

Mar 4 '08 #12

P: n/a
Fro
You continue to discuss in your stupid way: no arguments, no logical
reasoning, just postulates and attempts to offend your opponents. What
is your IQ?

A hell of a lot higher than yours. I also have a hell of a lot more
programming experience than you do - and a hell of a lot more experience
with security issues than you do.
It is even worser for you. In spite on the fact that you have 10s
years of the programming experience you cannot understand simple
things. But you making a progress. You finally understood that not
only my scripts can write to my directory! :)
Mar 4 '08 #13

P: n/a
I can't believe this discussion is still going on, even though the right
answers have been given right from the start.

Check out what Fro wrote:

<ae**********************************@u72g2000hsf. googlegroups.com>
I made a directory to be writable for "nobody" (i.e.
for those who communicate with the operating system via the php-server
that I use).
<2c**********************************@u69g2000hse. googlegroups.com>
The answer I got:
----------------------------------------------------
Yes, on servers where PHP runs as an Apache module
and .php scripts run under the Apache user nobody
this is possible. This is why setting 777 permissions
is always a concern from a security standpoint.
And the right answer was given by Tim:

<pm********************************@4ax.com>
It's certainly possible, but how would they have found your directory?

@Fro:

Setting 777 permissions is the same as leaving your door unlocked and
putting up a sign saying: "Invitation to everyone: Make yourself at
home! The door is unlocked and the alarm code is 12345." And when you
return home and find that someone has taken up your offer you go: "Who
ate from my plate? Who sat in my chair? Who slept in my bed?" and
complain to the person who built your house.

The real answer is: Don't set 777 permissions. Never ever. Because if
you do you allow your directory to be writable for everyone.

Bye!
Mar 5 '08 #14

P: n/a
Fro
>
The real answer is: Don't set 777 permissions. Never ever. Because if
you do you allow your directory to be writable for everyone.
What than should I do? It is the only way I know to allow visitors of
my site to upload files. Do you know another way to reach the goal?
Mar 5 '08 #15

P: n/a
Fro
>
And the right answer was given by Tim:
It's certainly possible, but how would they have found your directory?
This is cannot be a right answer because it is not answer (it is a
question). An the answer on that question is:
There are at least two way to find my directory.
1. They could use "ls" command.
2. They see the directory names in the address line of the browser (if
they watching my page).
Mar 5 '08 #16

This discussion thread is closed

Replies have been disabled for this discussion.