Hi This is not really a problem for me now, because I have my own server, and control who has access. This is a problem on virtual hosting, because anybody could be on there.
It seems to be standard practice for ISPs to set up php as an Apache module and leave it to run. I played around and could do directory listings and all sorts. (I did it to see how secure my files were and wouldn't touch anybody else's stuff). I did put it to the ISP (unnamed!) who said they had never heard of it and didn't believe it had ever been a problem. In practice few people know about it, and you have to an account on the server and the time and inclination to explore somebody else's (boring) files. Beyond that it is a serious vulnerability. I am working on some software that may be run on shared servers, so I will look into the suexec (I am only an amateur Apache bod so thanx for that) Peter > -----Original Message----- > From: Carl Troein [mailto:[EMAIL PROTECTED]] > Sent: 11 November 2001 14:25 > To: [EMAIL PROTECTED] > Subject: Re: OT: Securing username and password in script file > > > > Peter Lovatt writes: > > > I don't think there is a secure way of running php on a shared server. > > If by 'shared' you mean that you have users, then there is a very > good way of doing it. Assuming that you use apache, have a look > at the suexec wrapper. > > > I looked at ways of securing it but, fundamentally, php under > apache runs > > the same user for everyone, so if anyone can read the config > file, everyone > > can, if they know where it is. > > Ouch. Are your users aware of this? If you use suexec you could tell > them to make sure that they chmod config files to 600. The only > disadvantage of using suexec with php, is that you'll have to run > php as cgi, which means that you'll need shebangs ('#!') in your > files and make them executable and stuff, but it's not that big a > deal usually. There are cases where you're better off with the > module, but security-wise suexec can be better. > > //C > > -- > Carl Troein - Círdan / Istari-PixelMagic - UIN 16353280 > [EMAIL PROTECTED] | http://pixelmagic.dyndns.org/~cirdan/ > Amiga user since '89, and damned proud of it too. > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail > <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
