On Wednesday 12 February 2003 07:46, Chris Wesley wrote: > On Tue, 11 Feb 2003, Christopher Ditty wrote: > > Chris, Did you read the rest of the message? It sounds like the web > > Yes, I read your entire message. > > > host is saying that > > someone can access PHP FTP from an outside server and hack into the > > server. > > That's precisely NOT what the hosting provider said (at least it's not > what my appreciation for running a secured web host led me to believe they > said). I don't expect you to be a security expert, but think with me > through a very common scenario sysadmins must account for. I'll use the > word "you" in a general sense:
I think you're giving that hosting provider more credit than they deserve. Their reply really puts across the impression (fact?) that they are clueless. > You access an FTP server with a user name and a password to retrieve a > file via PHP FTP. The user name and password is the same that grants > you access to your hosting providers server. (People do this > v.frequently. Most people have trouble remembering one > username/password, so they make the dangerous choice to use one > username/password over and over again.) A malicious individual sniffs > your username and password while you transfer a file via FTP from to you > hosting provider. Once the individual has his way with your FTP site > using your credentials, (s)he does the obvious next step ... attempts to > use the same credentials to gain access to your hosting providers > server. Even they they are not clueless and they were trying to say what you're saying, it is still a very poor argument. So they allow incoming FTP (presumably that's what people use to upload their site) but disallow outgoing FTP because someone might sniff the username/password? Does it make sense? [snip] > Ws-ftp uses plain-text authentication. The FTP extension to PHP uses > plain-text authentication. (Neither has a choice, since FTP is a > plain-text protocol.) They both present security risks for the same > reason. A security risk in that someone might be able to get your login credentials and upload stuff to your FTP space, BUT not necessarily a security risk to the server itself. Modern FTP servers support virtual users and chroot so the risk of server compromise is minimised. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ /* Think sideways! -- Ed De Bono */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
