Results 1 to 26 of 26
  1. #1
    Join Date
    Nov 2001
    Location
    Toronto, Canada
    Posts
    111

    Exclamation IMPORTANT For SERVER OWNERS.

    Hello,

    I don't know if any of you saw this script before, it's called PHPSHELL, even if you didn't allow telnet or SSH on you server they can view your root directories. I think all server owners should block or delete this script from their servers.

    the URL is: http://www.gimpster.com/php/phpshell/index.php

    Take care,

  2. #2
    Join Date
    May 2002
    Posts
    219
    Eeek. Scary.

  3. #3
    Scary
    Western Man

  4. #4
    Join Date
    May 2002
    Location
    UK
    Posts
    2,994
    Surely the functions required to run such a script are blocked by safe_mode ?

  5. #5
    Ahh the safe mode, hmm...
    Western Man

  6. #6
    Join Date
    Jun 2001
    Location
    San Diego, CA
    Posts
    283

    what a dumb program

    What a stupid program...

    heh.

    It runs as the webuser so I think the potential damage is pretty low but you never know...could hit up other webusers's files and molest them.

    -davidu
    EveryDNS.NET :: FreeDNS and more.

  7. #7
    Join Date
    Aug 2002
    Location
    Baltimore, Maryland
    Posts
    580
    ahhh!!!

  8. #8
    Join Date
    Sep 2002
    Location
    Oklahoma
    Posts
    825

    Thumbs down PHPSHELL BLOWS GOATS!

    This script is very very gay.
    Devon Dunham (Owner, Sharpnet/DDoS Host)
    Advanced DDoS Mitigation and Server Management Solutions

    Protecting your online infrastructure.

    Est. 1998.

  9. #9
    Join Date
    Jul 2001
    Location
    /dev/null
    Posts
    1,219
    This script is very old. You should be save if you run php in safe mode.

  10. #10
    Join Date
    Apr 2002
    Location
    Wirral/Cheshire/Meresyside
    Posts
    203
    just to let u know users are very limited on what they can see and use. they have no way of altering things they maybe able to view somethings but not all if i remember right they can not see most things it will just redirect to the folder the file is in everytime they try to do something.
    http://www.gocre8.co.uk - Liverpool Web Design
    http://www.outallnite.co.uk - Liverpool Clubbing

  11. #11
    Join Date
    Jun 2001
    Location
    San Diego, CA
    Posts
    283

    Re: PHPSHELL BLOWS GOATS!

    Originally posted by DD-SNC
    This script is very very gay.
    How can a php script be gay?

    Has AI technology progressed that much?

    -davidu
    EveryDNS.NET :: FreeDNS and more.

  12. #12
    Originally posted by roby2k
    just to let u know users are very limited on what they can see and use. they have no way of altering things they maybe able to view somethings but not all if i remember right they can not see most things it will just redirect to the folder the file is in everytime they try to do something.
    yes, that's right. They can't even delete their own files. This script is not new, actually there are many scripts like this written in Perl.
    AceWebHosting.Com
    Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server

  13. #13

    OI!

    Truth: I didnt even bother looking at the script

    Truth: I probably know what it does

    Description: runs commands typed into a web browser

    Truth: these commands are then run as the httpd daemon username, on unix this is probably 'nobody'. In this case you can _ONLY_ execute command with o+x, and _ONLY_ read files with o+r, and _ONLY_ modify files with o+w (duh?)

    Truth: this script idea is about 10 years old

    Truth: if you're really paranoid about this script then do one of a couple things: 1) look into user mode linux 2) chroot 3) stop web hosting, because worrying about this is like worrying about whether or not your win2k box is secure - its just dumb.

    sorry, thats my opinion
    irc.apokalyptik.com http://www.apokalyptik.com http://www.apokalyptik.com/forum/

  14. #14
    Originally posted by NetworksData

    yes, that's right. They can't even delete their own files. This script is not new, actually there are many scripts like this written in Perl.
    As far php run as nobody in your server, I can make your server down using this script.

  15. #15
    Join Date
    Jun 2001
    Location
    San Diego, CA
    Posts
    283
    Originally posted by bonahost


    As far php run as nobody in your server, I can make your server down using this script.
    But the real question is: "Can you write a complete sentence?"

    And by "down" do you mean cracked, DoS'd, or what?

    A DoS does not show any sort of skill whatsoever and is pretty much reserved for fools and morons.

    -davidu
    EveryDNS.NET :: FreeDNS and more.

  16. #16
    Join Date
    Nov 2001
    Location
    California
    Posts
    1,991
    Originally posted by roby2k
    just to let u know users are very limited on what they can see and use. they have no way of altering things they maybe able to view somethings but not all if i remember right they can not see most things it will just redirect to the folder the file is in everytime they try to do something.
    Pretty much what the case was with plesk, I instlled it, and I was only able to navigate within the current directory..

  17. #17
    Join Date
    Jul 2002
    Location
    San Luis Obispo, CA
    Posts
    818
    that script shouldent be able to do much if you have open_basedir on and safe mode on.
    Nick Twaddell
    WebSpace Solutions - Custom E-Solutions
    Fast, Reliable, Affordable Web Hosting

  18. #18
    Join Date
    Nov 2001
    Location
    California
    Posts
    1,991
    Originally posted by ntwaddel
    that script shouldent be able to do much if you have open_basedir on and safe mode on.
    Yep!

  19. #19
    Originally posted by ntwaddel
    that script shouldent be able to do much if you have open_basedir on and safe mode on.
    How about Perl scripts?
    AceWebHosting.Com
    Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server

  20. #20
    Join Date
    Dec 2000
    Location
    San Diego, CA
    Posts
    1,571

    Re: what a dumb program

    Originally posted by DavidU
    What a stupid program...

    heh.

    It runs as the webuser so I think the potential damage is pretty low but you never know...could hit up other webusers's files and molest them.

    -davidu
    Some people might not agree, but those kinds of programs have their uses. When I was at Hypermart (the free business hosting site), I used a CGI program I wrote to compile some stuff that I needed. This doesn't mean you shouldn't monitor for this though; it just means you should pay attention to what people are doing exactly with their scripts.
    -Mooneer
    Thoughtbug Software: Hosting shouldn't require any thought.
    Legitimate host? Support the Code of Ethical Conduct

  21. #21
    Join Date
    Jul 2001
    Location
    Coventry, England
    Posts
    130
    Why isn't there a demo of the script on their site?

    Heh, nowt to worry about though, you can't do anything you couldn't do another way.

  22. #22
    Join Date
    May 2001
    Location
    HK
    Posts
    3,076

    Smile

    Yep, Perl can do that... but if you change permission for the root directory with proper permission, they can't view it.

  23. #23
    Join Date
    Nov 2000
    Location
    Dundee, UK
    Posts
    1,366
    But the real question is: "Can you write a complete sentence?"
    Perhaps haps you should of stopped and thought for a second before posting that. Perhaps english is his second language.

  24. #24
    Join Date
    Aug 2002
    Location
    Baltimore, Maryland
    Posts
    580
    once again ahh!!!

  25. #25
    Join Date
    May 2001
    Location
    HK
    Posts
    3,076

    Smile

    Originally posted by SplashHost.com

    Perhaps haps you should of stopped and thought for a second before posting that. Perhaps english is his second language.
    who are you talking to?

  26. #26
    Join Date
    Nov 2000
    Posts
    3,042
    Probably the person he quoted... But it could be that Alan is just mumbling .
    A well-reasoned assumption is very close to fact.
    - Adorno

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •