Peter Lovatt [mailto:[EMAIL PROTECTED]] wrote: > >This is not really a problem for me now, because I have my own server, >and control who has access. This is a problem on virtual hosting, >because anybody could be on there.
You are exactly correct. This problem is huge on virtual hosting accounts, However it's virtually non-existent on a dedicated. The only answer I Consistently get it "if you have to be secure, you can't use a virtual hosting account." >It seems to be standard practice for ISPs to set up php as an Apache >module and leave it to run. I played around and could do directory >listings and all sorts. (I did it to see how secure my files were and >wouldn't touch anybody else's stuff). Most don't even bother to configure PHP so that it will stay inside the root directory of the webserver. PHP will do this if you tell it - but it's not on by default, therefore you can roam the server's filesystem at will on most virtual servers. >I did put it to the ISP (unnamed!) who said they had never heard of >it and didn't believe it had ever been a problem. Ignorance is bliss. >In practice few people know about it, and you have to an account on >the server and the time and inclination to explore somebody else's >(boring) files. Beyond that it is a serious vulnerability. It actually doesn't take much to run a script that searches all the .php, .pl and .ini files on the server for the words "username" and "password" (and their derivatives) and requires very little manual >I am working on some software that may be run on shared servers, so >I will look into the suexec (I am only an amateur Apache bod so thanx >for that) I think you have to have PHP installed as a stand-alone CGI application to use suexec, but I'm not positive. I'll test it. It would be nice if mySQL supported some form of encrypted login where the username and password could be decrypted internally somehow. Perhaps a test on what directory the script is running from... I don't know, I'm reaching here. It just seems that between the lack of a unique username running Apache in a directory on a virtual server, and the common practice for usernames and passwords to be stored in plain text for use by scripting languages, a more systematic approach to securing access would be useful. Maybe I'm missing something else I could be doing here. Any ideas? -t --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
