Menu
▾
▴
Re: [phpesp-dev] insecure phpesp.ini
|
From: James E. F. <jf...@ac...> - 2003-01-18 18:39:08
|
Consider a user who is using MajorHostingProvider, who
gives them space like:
/home/httpd/vhosts/example.com
Which has directories:
/home/httpd/vhosts/example.com/httpdocs
/home/httpd/vhosts/example.com/httpsdocs
Which are the doc-roots for the example.com virtual host.
Now you stick a phpinfo() script it there and it reports
open_basedir as:
open_basedir = '/home/httpd/vhosts/example.com/httpdocs'
Thus all support files for any PHP script must be within
a web accessible directory. The only option here is to
either use '.htaccess' files or an extension such that the
file is parsed by PHP. I dislike the .htaccess method,
because it is possible that a (pedantic) httpd.conf will
disallow changing options w/ .htaccess, and so a mysterious
HTTP/500 error will show up. Many people have no idea
where to look to find apache logs, so tracking down a 500
is difficult.
-James
s/MajorHostingProvider/rackspace.com/
On Sat, 18 Jan 2003, Christopher Zorn wrote:
> -1 for me. I think it should stay in a none web accessible directory.
>
>
> On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote:
> > Initially my feeling was that phpESP should be installed
> > somewhere outside of the web accessible part of your
> > filesystem. This would ensure that phpESP.ini would not be
> > compromised. However it seems many people can not
> > understand how to do this, and many can not do so because
> > they have to deal with open_basedir restrictions from their
> > hosting service. In light of this, I am willing to change
> > the extension. The change would be to rename phpESP.ini to
> > phpESP.ini.php. I would like the developers to vote on
> > this (-1/0/+1).
> >
> > This also brings up an important point about mysql
> > security. If you are concerned about your database
> > passwords, then I suggest you read the mysql manual on
> > permissions. The mysql security model allows restricting
> > access based on IP addresses, usename/password, database,
> > and actions. My mysql server uses phpesp with the default
> > password (phpesp), and it doesn't matter that I tell you
> > that because the restrictions on hostnames, databases, and
> > permissions on that account prevent anyone from doing
> > damage. Anyone administering a mysql server should RTFM.
> >
> > -James
> >
> > ---------- Forwarded message ----------
> > Date: Fri, 17 Jan 2003 16:45:39 +0100
> > From: fl...@gm...
> > Subject: Re: [phpesp-dev] themes when embedding
> >
> > hi and happy new year!
> >
> > i have a really unnice message: my server let open port 8080 an with that
> > and misconfiguration all websurfer can look in my phpesp ini wich is bloody
> > uncool!
> > so there is the need to change is to ext.php! i think... when php crashes
> > then it´s the only point to have a chance to look in a php file otherwise
> > no!
> > is there any chance to do is or do i have to change it by myself?.......
> > (bad on upgardes)
> >
> > kind regards flobee
> >
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
> > allow you to extend the highest allowed 128 bit encryption to all your
> > clients even if they use browsers that are limited to 40 bit encryption.
> > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
> > _______________________________________________
> > phpESP-devel mailing list
> > php...@li...
> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
> >
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
> allow you to extend the highest allowed 128 bit encryption to all your
> clients even if they use browsers that are limited to 40 bit encryption.
> Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
> _______________________________________________
> phpESP-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>
|
