Results 1 to 6 of 6
  1. #1

    php shell system()...

    Hello everyone,

    2 days ago i discovered that one of clients using php has read config.php from other clinet, these 2 clients are on the same server, and than he downloaded his data base from mysql.

    He was using a simple php script for executing shell comand like: ls, ps, cat, cd...
    i looked at this script and i found out that it uses php symstem().
    Simply i disabled this function system() but this caused some other problems, one site on this server was down because of this that site is using ion cube....

    So, can anyone tell how can i disable my clients from using shell via php.
    I would appreciate any comments...
    Thanks

  2. #2
    Put php safe mode on.

  3. #3
    Join Date
    Nov 2005
    Location
    Maidstone, Kent
    Posts
    92
    im not a linux/apache pro so I never managed to work out if it is possible.. but would it be possible to make each virtual host use a seperate linux user account for accessing files etc ? like you do with iis.

    Otherwise anyone can access anyone elses files on the server regardless of if they have access to system commands or not! its easy to get directory listings within php it self. Im sure this must be possible ?
    TME Solutions - eCommerce Web Designers - Visit our Web Design Portfolio

  4. #4
    Put php safe mode on.

  5. #5
    Join Date
    Nov 2005
    Location
    Maidstone, Kent
    Posts
    92
    Does php safe mode stop people accessing other peoples files ? ie does it stop all file access?
    TME Solutions - eCommerce Web Designers - Visit our Web Design Portfolio

  6. #6
    Join Date
    Oct 2005
    Posts
    890
    I wouldn't let him stay on the server. If I were you, terminate him now.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •