Hello,

I don't know if any of you saw this script before, it's called PHPSHELL, even if you didn't allow telnet or SSH on you server they can view your root directories.:mad: I think all server owners should block or delete this script from their servers.

the URL is: http://www.gimpster.com/php/phpshell/index.php

Take care,

Eeek. Scary.

:eek: :eek: Scary

Surely the functions required to run such a script are blocked by safe_mode ?

Ahh the safe mode, hmm...

What a stupid program...

heh.

It runs as the webuser so I think the potential damage is pretty low but you never know...could hit up other webusers's files and molest them.

-davidu

ahhh!!!

This script is very very gay.

This script is very old. You should be save if you run php in safe mode.

just to let u know users are very limited on what they can see and use. they have no way of altering things they maybe able to view somethings but not all if i remember right they can not see most things it will just redirect to the folder the file is in everytime they try to do something.

Originally posted by DD-SNC
This script is very very gay.

How can a php script be gay?

Has AI technology progressed that much?

-davidu

Originally posted by roby2k
just to let u know users are very limited on what they can see and use. they have no way of altering things they maybe able to view somethings but not all if i remember right they can not see most things it will just redirect to the folder the file is in everytime they try to do something.
yes, that's right. They can't even delete their own files. This script is not new, actually there are many scripts like this written in Perl.

Truth: I didnt even bother looking at the script

Truth: I probably know what it does

Description: runs commands typed into a web browser

Truth: these commands are then run as the httpd daemon username, on unix this is probably 'nobody'. In this case you can _ONLY_ execute command with o+x, and _ONLY_ read files with o+r, and _ONLY_ modify files with o+w (duh?)

Truth: this script idea is about 10 years old

Truth: if you're really paranoid about this script then do one of a couple things: 1) look into user mode linux 2) chroot 3) stop web hosting, because worrying about this is like worrying about whether or not your win2k box is secure - its just dumb.

sorry, thats my opinion :) :D ;) :stickout :cool: :rolleyes:

Originally posted by NetworksData

yes, that's right. They can't even delete their own files. This script is not new, actually there are many scripts like this written in Perl.

As far php run as nobody in your server, I can make your server down using this script.

Originally posted by bonahost


As far php run as nobody in your server, I can make your server down using this script.

But the real question is: "Can you write a complete sentence?"

And by "down" do you mean cracked, DoS'd, or what?

A DoS does not show any sort of skill whatsoever and is pretty much reserved for fools and morons.

-davidu

Originally posted by roby2k
just to let u know users are very limited on what they can see and use. they have no way of altering things they maybe able to view somethings but not all if i remember right they can not see most things it will just redirect to the folder the file is in everytime they try to do something. Pretty much what the case was with plesk, I instlled it, and I was only able to navigate within the current directory..

that script shouldent be able to do much if you have open_basedir on and safe mode on.

Originally posted by ntwaddel
that script shouldent be able to do much if you have open_basedir on and safe mode on. Yep!

Originally posted by ntwaddel
that script shouldent be able to do much if you have open_basedir on and safe mode on.
How about Perl scripts?

Originally posted by DavidU
What a stupid program...

heh.

It runs as the webuser so I think the potential damage is pretty low but you never know...could hit up other webusers's files and molest them.

-davidu

Some people might not agree, but those kinds of programs have their uses. When I was at Hypermart (the free business hosting site), I used a CGI program I wrote to compile some stuff that I needed. This doesn't mean you shouldn't monitor for this though; it just means you should pay attention to what people are doing exactly with their scripts.

Why isn't there a demo of the script on their site? :D

Heh, nowt to worry about though, you can't do anything you couldn't do another way.

Yep, Perl can do that... but if you change permission for the root directory with proper permission, they can't view it.

But the real question is: "Can you write a complete sentence?"

Perhaps haps you should of stopped and thought for a second before posting that. Perhaps english is his second language.

once again ahh!!!

Originally posted by SplashHost.com

Perhaps haps you should of stopped and thought for a second before posting that. Perhaps english is his second language.

who are you talking to?

Probably the person he quoted... But it could be that Alan is just mumbling :).