At 18:08 15/06/02 +0200, Melvyn Sopacua wrote :- >lweb said at 11:35 15-6-2002: > >>tanks for the answer! im to happy of sambar, and this mailing list, i >>found in the document resource that I can execute a Script. >> I want OPEN all php, php3, inc, jsp, js,........ in text format and >> check for dangerous function like "system(), phpinfo(), .........." > >If you are that worried about your users, you shouldn't give them FTP >access. FTP has no capabilities of verifying what has been uploaded to >that extent. FTP access already implies a certain ammount of trust. > >What you could do, is have them upload everything into a spool folder, >which is checked and put into the real webspace, using a cron entry. > >That would however cause some delay.
Or you could do a simple CGI (or other) script that you can set up :- EG www.webserver/cgi-bin/check.cgi?query=(username)... When they upload scripts to the FTP, it uploads to a test folder called /docs/test63268/(username) (the test(number) is used so Only you know the actual directory its uploaded to, & no user can possibly guess...) When the user activates the cgi script, It scans the folder for any SYSTEM / PHPINFO commands etc... (whatever you want) & if it doesnt contain any key-phrases, It will move the files into the real site, .. If it does contain the certain words/phrases, It can send an email to (you) the site administrator etc.. & a warning to the user.. (or whatever you want it to do..) It only needs 1 extra directory set up - per user, & about 1-2 days to programme... & test.. (its almost 2 a.m. here - Time for bed...) If anyone wants that kind of system, Email me & i'll do one in a day or so... G. ------------------------------------------------------- To unsubscribe please go to http://www.sambar.ch/list/
