You are right anil,

I think we should collectively discourage people from attempting this sort of this. I am no fan of webmin, cpanel or any of the other vhost/admin stuff but at least they are likely to be more secure than what can be scratched together in a hurry.


Anil Kumar K. wrote:


Writing something like this as part of a Web application is definitely a bad idea.

The requirement is more like that of a remote administration system and
Webmin (http://www.webmin.com/) cleanly and safely fits the bill. Webmin can actually do more than just restarting Apache. But it can be configured to do only that.


best regards.
  Anil

On Wed, 3 Sep 2003, Jason Sheets wrote:



More safely maybe, but even that solution could be exploited somewhat easily. The script that writes the file would be better off as a CGI than executed through the Apache module, this would allow you to restrict write access to the directory where the file that triggers the restart is stored to the owner of the script, you could then further restrict access to this script through .htccess or other means. If you make a file trigger a cronned job to restart the server if you are using mod_php the directory must be writable to the user the web server runs as which means that anyone who can execute php code through the webserver can trigger a server restart by writing the file, you could even cron it to write the file every minute effectively shutting the server down (whether it be web or the actual system itself).

Doing something like this takes a lot of thought, it can be made difficult to exploit but you need to do more than just make a cron pickup a file, excellent starting place though.

Jason



--
http://www.raditha.com/php/progress.php
A progress bar for PHP file uploads.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to