Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: § o m e 1 (some1runbox.com)
Date: Fri Jun 21 2002 - 21:35:05 CDT
thanks for your replay William,
thats correct.. the proplem is not how to protect my own script from being
the proplem is:
how to protect my Hosting server..
i have a small web hosting commpany, and i have my own server.. i dont give
any client SSH or Telnet access, some times my customers upload a PHP or
Perl script or SSI files that allow them to hack "another user" on the
1- a hacker want to hack this site (www.shop.com)
first he find what hosting company shop.com use
(from the DNS for example: ns1.myHostingSite.com )
2- the hacker signup for a 12$ hoting account on my site
after that, the hacker upload a perl or php script to his website " hack.pl
or hack.php "
or a hack.php
$output = `$cmd`;
after that he update his PHPMyAdmin confg.php file with shop.com SQL
password and get every thing!
That is The Proplem
any way: for PHP i can do some controle, i edited the PHP.ini , and i add:
disable_functions = system; exec; passthru; popen; shell_exec
i want to add the function: fopen , but i cant, many scripts require that
function... guestbooks, BBs, chatScripts..
but for SSI and Perl i don't know how can i control this things..
i thought that there ware some GooD solutions (from Apache i think) for this
kind of common security troubles for web hosting commpanys
----- Original Message -----
From: William Underwood
Cc: moksha faced
Sent: Friday, June 21, 2002 7:06 PM
Subject: RE: WebHost Security
Replying to the list, as that is where the thread is...
moksha faced <adminmokshafaced.com> wrote:
>If it's a 'server-wide' setting, you could set the web
>server to disallow exec statements, like the Apache
>"IncludesNOEXEC" which permits server-side includes
>but won't allow "#exec" and "#exec CGI" type
>It's still always a good idea to run "perl -T" (taint
>mode) when it's a script and if you can.
>Does this help?
I'm sorry, but it doesn't help me at all, as I'm not the person with
the issue. Actually, I don't think it will help the OP either, as it sounds
like he's looking not for a way to prevent his own scripts from
being subverted, but rather a way to keep customers' scripts from
compromising his server.
-- William Underwood wllmundrwdnetscape.net