Menu
▾
▴
phpesp-devel
|
From: James E. F. <jf...@ac...> - 2003-01-17 21:31:56
|
Initially my feeling was that phpESP should be installed somewhere outside of the web accessible part of your filesystem. This would ensure that phpESP.ini would not be compromised. However it seems many people can not understand how to do this, and many can not do so because they have to deal with open_basedir restrictions from their hosting service. In light of this, I am willing to change the extension. The change would be to rename phpESP.ini to phpESP.ini.php. I would like the developers to vote on this (-1/0/+1). This also brings up an important point about mysql security. If you are concerned about your database passwords, then I suggest you read the mysql manual on permissions. The mysql security model allows restricting access based on IP addresses, usename/password, database, and actions. My mysql server uses phpesp with the default password (phpesp), and it doesn't matter that I tell you that because the restrictions on hostnames, databases, and permissions on that account prevent anyone from doing damage. Anyone administering a mysql server should RTFM. -James ---------- Forwarded message ---------- Date: Fri, 17 Jan 2003 16:45:39 +0100 From: fl...@gm... Subject: Re: [phpesp-dev] themes when embedding hi and happy new year! i have a really unnice message: my server let open port 8080 an with that and misconfiguration all websurfer can look in my phpesp ini wich is bloody uncool! so there is the need to change is to ext.php! i think... when php crashes then it´s the only point to have a chance to look in a php file otherwise no! is there any chance to do is or do i have to change it by myself?....... (bad on upgardes) kind regards flobee |
|
From: Matthew G. <gr...@mu...> - 2003-01-18 01:04:20
|
On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: +1 in favor of the rename ...snip > hosting service. In light of this, I am willing to change > the extension. The change would be to rename phpESP.ini to > phpESP.ini.php. I would like the developers to vote on > this (-1/0/+1). > |
|
From: angek <ang...@ip...> - 2003-01-18 11:12:51
|
and a +1 from me Kon On Sat, 2003-01-18 at 12:04, Matthew Gregg wrote: > On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: > +1 in favor of the rename > > ...snip > > hosting service. In light of this, I am willing to change > > the extension. The change would be to rename phpESP.ini to > > phpESP.ini.php. I would like the developers to vote on > > this (-1/0/+1). > > > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will > allow you to extend the highest allowed 128 bit encryption to all your > clients even if they use browsers that are limited to 40 bit encryption. > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: Christopher Z. <zo...@mu...> - 2003-01-18 16:10:38
|
-1 for me. I think it should stay in a none web accessible directory. On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: > Initially my feeling was that phpESP should be installed > somewhere outside of the web accessible part of your > filesystem. This would ensure that phpESP.ini would not be > compromised. However it seems many people can not > understand how to do this, and many can not do so because > they have to deal with open_basedir restrictions from their > hosting service. In light of this, I am willing to change > the extension. The change would be to rename phpESP.ini to > phpESP.ini.php. I would like the developers to vote on > this (-1/0/+1). >=20 > This also brings up an important point about mysql > security. If you are concerned about your database > passwords, then I suggest you read the mysql manual on > permissions. The mysql security model allows restricting > access based on IP addresses, usename/password, database, > and actions. My mysql server uses phpesp with the default > password (phpesp), and it doesn't matter that I tell you > that because the restrictions on hostnames, databases, and > permissions on that account prevent anyone from doing > damage. Anyone administering a mysql server should RTFM. >=20 > -James >=20 > ---------- Forwarded message ---------- > Date: Fri, 17 Jan 2003 16:45:39 +0100 > From: fl...@gm... > Subject: Re: [phpesp-dev] themes when embedding >=20 > hi and happy new year! >=20 > i have a really unnice message: my server let open port 8080 an with th= at > and misconfiguration all websurfer can look in my phpesp ini wich is bl= oody > uncool! > so there is the need to change is to ext.php! i think... when php crash= es > then it=B4s the only point to have a chance to look in a php file other= wise > no! > is there any chance to do is or do i have to change it by myself?....... > (bad on upgardes) >=20 > kind regards flobee >=20 >=20 >=20 > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts wi= ll > allow you to extend the highest allowed 128 bit encryption to all your=20 > clients even if they use browsers that are limited to 40 bit encryption= .=20 > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw003= 0en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel >=20 |
|
From: Moshe W. <wei...@te...> - 2003-01-18 16:20:40
|
Another open source project I know (Drupal) keeps their ini file in the web accessible directory but blocks it via .htaccess rule. Here is the rule: # Protect files and directories from prying eyes: <Files ~ "(\.(conf|inc|module|pl|sh|sql|theme)|Entries|Repositories|Root|scripts|updates)$"> order deny,allow deny from all </Files> Users of non apache web servers are warned of risks. Christopher Zorn wrote: > -1 for me. I think it should stay in a none web accessible directory. > > > On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: > >>Initially my feeling was that phpESP should be installed >>somewhere outside of the web accessible part of your >>filesystem. This would ensure that phpESP.ini would not be >>compromised. However it seems many people can not >>understand how to do this, and many can not do so because >>they have to deal with open_basedir restrictions from their >>hosting service. In light of this, I am willing to change >>the extension. The change would be to rename phpESP.ini to >>phpESP.ini.php. I would like the developers to vote on >>this (-1/0/+1). >> >>This also brings up an important point about mysql >>security. If you are concerned about your database >>passwords, then I suggest you read the mysql manual on >>permissions. The mysql security model allows restricting >>access based on IP addresses, usename/password, database, >>and actions. My mysql server uses phpesp with the default >>password (phpesp), and it doesn't matter that I tell you >>that because the restrictions on hostnames, databases, and >>permissions on that account prevent anyone from doing >>damage. Anyone administering a mysql server should RTFM. >> >>-James >> >>---------- Forwarded message ---------- >>Date: Fri, 17 Jan 2003 16:45:39 +0100 >>From: fl...@gm... >>Subject: Re: [phpesp-dev] themes when embedding >> >>hi and happy new year! >> >>i have a really unnice message: my server let open port 8080 an with that >>and misconfiguration all websurfer can look in my phpesp ini wich is bloody >>uncool! >>so there is the need to change is to ext.php! i think... when php crashes >>then it´s the only point to have a chance to look in a php file otherwise >>no! >>is there any chance to do is or do i have to change it by myself?....... >>(bad on upgardes) >> >>kind regards flobee >> >> >> >>------------------------------------------------------- >>This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will >>allow you to extend the highest allowed 128 bit encryption to all your >>clients even if they use browsers that are limited to 40 bit encryption. >>Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en >>_______________________________________________ >>phpESP-devel mailing list >>php...@li... >>https://lists.sourceforge.net/lists/listinfo/phpesp-devel >> > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will > allow you to extend the highest allowed 128 bit encryption to all your > clients even if they use browsers that are limited to 40 bit encryption. > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: <fl...@gm...> - 2003-01-18 19:36:59
|
that access was allowed on my problem with my ISP! thats why i report to be changed ----- Original Message ----- From: "Moshe Weitzman" <wei...@te...> To: <php...@li...> Sent: Saturday, January 18, 2003 5:20 PM Subject: Re: [phpesp-dev] insecure phpesp.ini Another open source project I know (Drupal) keeps their ini file in the web accessible directory but blocks it via .htaccess rule. Here is the rule: # Protect files and directories from prying eyes: <Files ~ "(\.(conf|inc|module|pl|sh|sql|theme)|Entries|Repositories|Root|scripts|upda tes)$"> order deny,allow deny from all </Files> Users of non apache web servers are warned of risks. Christopher Zorn wrote: > -1 for me. I think it should stay in a none web accessible directory. > > > On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: > >>Initially my feeling was that phpESP should be installed >>somewhere outside of the web accessible part of your >>filesystem. This would ensure that phpESP.ini would not be >>compromised. However it seems many people can not >>understand how to do this, and many can not do so because >>they have to deal with open_basedir restrictions from their >>hosting service. In light of this, I am willing to change >>the extension. The change would be to rename phpESP.ini to >>phpESP.ini.php. I would like the developers to vote on >>this (-1/0/+1). >> >>This also brings up an important point about mysql >>security. If you are concerned about your database >>passwords, then I suggest you read the mysql manual on >>permissions. The mysql security model allows restricting >>access based on IP addresses, usename/password, database, >>and actions. My mysql server uses phpesp with the default >>password (phpesp), and it doesn't matter that I tell you >>that because the restrictions on hostnames, databases, and >>permissions on that account prevent anyone from doing >>damage. Anyone administering a mysql server should RTFM. >> >>-James >> >>---------- Forwarded message ---------- >>Date: Fri, 17 Jan 2003 16:45:39 +0100 >>From: fl...@gm... >>Subject: Re: [phpesp-dev] themes when embedding >> >>hi and happy new year! >> >>i have a really unnice message: my server let open port 8080 an with that >>and misconfiguration all websurfer can look in my phpesp ini wich is bloody >>uncool! >>so there is the need to change is to ext.php! i think... when php crashes >>then it´s the only point to have a chance to look in a php file otherwise >>no! >>is there any chance to do is or do i have to change it by myself?....... >>(bad on upgardes) >> >>kind regards flobee >> >> >> >>------------------------------------------------------- >>This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will >>allow you to extend the highest allowed 128 bit encryption to all your >>clients even if they use browsers that are limited to 40 bit encryption. >>Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en >>_______________________________________________ >>phpESP-devel mailing list >>php...@li... >>https://lists.sourceforge.net/lists/listinfo/phpesp-devel >> > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will > allow you to extend the highest allowed 128 bit encryption to all your > clients even if they use browsers that are limited to 40 bit encryption. > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ phpESP-devel mailing list php...@li... https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: James E. F. <jf...@ac...> - 2003-01-18 18:39:08
|
Consider a user who is using MajorHostingProvider, who
gives them space like:
/home/httpd/vhosts/example.com
Which has directories:
/home/httpd/vhosts/example.com/httpdocs
/home/httpd/vhosts/example.com/httpsdocs
Which are the doc-roots for the example.com virtual host.
Now you stick a phpinfo() script it there and it reports
open_basedir as:
open_basedir = '/home/httpd/vhosts/example.com/httpdocs'
Thus all support files for any PHP script must be within
a web accessible directory. The only option here is to
either use '.htaccess' files or an extension such that the
file is parsed by PHP. I dislike the .htaccess method,
because it is possible that a (pedantic) httpd.conf will
disallow changing options w/ .htaccess, and so a mysterious
HTTP/500 error will show up. Many people have no idea
where to look to find apache logs, so tracking down a 500
is difficult.
-James
s/MajorHostingProvider/rackspace.com/
On Sat, 18 Jan 2003, Christopher Zorn wrote:
> -1 for me. I think it should stay in a none web accessible directory.
>
>
> On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote:
> > Initially my feeling was that phpESP should be installed
> > somewhere outside of the web accessible part of your
> > filesystem. This would ensure that phpESP.ini would not be
> > compromised. However it seems many people can not
> > understand how to do this, and many can not do so because
> > they have to deal with open_basedir restrictions from their
> > hosting service. In light of this, I am willing to change
> > the extension. The change would be to rename phpESP.ini to
> > phpESP.ini.php. I would like the developers to vote on
> > this (-1/0/+1).
> >
> > This also brings up an important point about mysql
> > security. If you are concerned about your database
> > passwords, then I suggest you read the mysql manual on
> > permissions. The mysql security model allows restricting
> > access based on IP addresses, usename/password, database,
> > and actions. My mysql server uses phpesp with the default
> > password (phpesp), and it doesn't matter that I tell you
> > that because the restrictions on hostnames, databases, and
> > permissions on that account prevent anyone from doing
> > damage. Anyone administering a mysql server should RTFM.
> >
> > -James
> >
> > ---------- Forwarded message ----------
> > Date: Fri, 17 Jan 2003 16:45:39 +0100
> > From: fl...@gm...
> > Subject: Re: [phpesp-dev] themes when embedding
> >
> > hi and happy new year!
> >
> > i have a really unnice message: my server let open port 8080 an with that
> > and misconfiguration all websurfer can look in my phpesp ini wich is bloody
> > uncool!
> > so there is the need to change is to ext.php! i think... when php crashes
> > then it´s the only point to have a chance to look in a php file otherwise
> > no!
> > is there any chance to do is or do i have to change it by myself?.......
> > (bad on upgardes)
> >
> > kind regards flobee
> >
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
> > allow you to extend the highest allowed 128 bit encryption to all your
> > clients even if they use browsers that are limited to 40 bit encryption.
> > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
> > _______________________________________________
> > phpESP-devel mailing list
> > php...@li...
> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
> >
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
> allow you to extend the highest allowed 128 bit encryption to all your
> clients even if they use browsers that are limited to 40 bit encryption.
> Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
> _______________________________________________
> phpESP-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>
|
|
From: <fl...@gm...> - 2003-01-18 16:11:48
|
about to mysql password: it can be easyly ripped! i´ve heard in a forum! (i dont know how..) but: creating a simple password function with an 32 lenth string is more secure! we aleady have one way password check, just request on this with the extra function md5($password * $extrastrings * $routines) would be more secure :-) any way i dont hav ford nox :-) ----- Original Message ----- From: "James E. Flemer" <jf...@ac...> To: <php...@li...> Sent: Friday, January 17, 2003 10:31 PM Subject: [phpesp-dev] insecure phpesp.ini Initially my feeling was that phpESP should be installed somewhere outside of the web accessible part of your filesystem. This would ensure that phpESP.ini would not be compromised. However it seems many people can not understand how to do this, and many can not do so because they have to deal with open_basedir restrictions from their hosting service. In light of this, I am willing to change the extension. The change would be to rename phpESP.ini to phpESP.ini.php. I would like the developers to vote on this (-1/0/+1). This also brings up an important point about mysql security. If you are concerned about your database passwords, then I suggest you read the mysql manual on permissions. The mysql security model allows restricting access based on IP addresses, usename/password, database, and actions. My mysql server uses phpesp with the default password (phpesp), and it doesn't matter that I tell you that because the restrictions on hostnames, databases, and permissions on that account prevent anyone from doing damage. Anyone administering a mysql server should RTFM. -James ---------- Forwarded message ---------- Date: Fri, 17 Jan 2003 16:45:39 +0100 From: fl...@gm... Subject: Re: [phpesp-dev] themes when embedding hi and happy new year! i have a really unnice message: my server let open port 8080 an with that and misconfiguration all websurfer can look in my phpesp ini wich is bloody uncool! so there is the need to change is to ext.php! i think... when php crashes then it´s the only point to have a chance to look in a php file otherwise no! is there any chance to do is or do i have to change it by myself?....... (bad on upgardes) kind regards flobee ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ phpESP-devel mailing list php...@li... https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X