hoot
11-16-2001, 04:21 PM
I was just playing around with the new fileman.cgi script when I descovered that just by changing the main root location from "/home/sites/siteXX" to just "/", I gained read access to the whole server, even to the password protected directories !
So no matter what user you use you can read everything that is on the server. Now what is rearly serious is that scripts such as autosetup keep the mysql root password in plain text which means that you can then enter, view add and change all the databases on the server. And as autosetup keeps all it's information (passwords and usernames ....) in a mysql database you gain access to all the server in write mode ...
And even if you don't have autosetup you can still download all the files on the server and I'm sure that if you know a bit about programing you can find the program that encripts all the passwords and modify it to decript them !!!!!
What can you do against this !!?????!!
I didn't rearlise how easy it was to hack a server if you have got an account on it !!!!!
Hoot
So no matter what user you use you can read everything that is on the server. Now what is rearly serious is that scripts such as autosetup keep the mysql root password in plain text which means that you can then enter, view add and change all the databases on the server. And as autosetup keeps all it's information (passwords and usernames ....) in a mysql database you gain access to all the server in write mode ...
And even if you don't have autosetup you can still download all the files on the server and I'm sure that if you know a bit about programing you can find the program that encripts all the passwords and modify it to decript them !!!!!
What can you do against this !!?????!!
I didn't rearlise how easy it was to hack a server if you have got an account on it !!!!!
Hoot