Menu
▾
▴
[ phpshell-Feature Requests-1518713 ] Merge all Files into one
|
From: SourceForge.net <no...@so...> - 2006-07-08 00:01:20
|
Feature Requests item #1518713, was opened at 2006-07-07 14:56 Message generated for change (Comment added) made by mgeisler You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1518713&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements Group: None >Status: Pending Priority: 5 Submitted By: Jürgen Hörmann (hoerj) >Assigned to: Martin Geisler (mgeisler) Summary: Merge all Files into one Initial Comment: Because this program opposes the webserver to a highly increased risk of being hacked i suggest not to leave the script on the server. To make it more usable to upload, use and delete the script it would be good if all files and config could be merged into one solid php file. ---------------------------------------------------------------------- >Comment By: Martin Geisler (mgeisler) Date: 2006-07-08 02:01 Message: Logged In: YES user_id=1264592 Yeah, I tend to agree with Tobias. Protecting the script with the builtin user management and/or a .htaccess file should be sufficient. If that isn't enough, then rename phpshell.php to phpshell.txt when you want to disable PHP Shell. That *must* be enough -- otherwise you have to ask yourself what kind of attack you anticipate. My point is that if people can still use PHP Shell after you've turned it into a text file, then people could most probably also break your system without PHP Shell being there in the first place. Deleting the phpshell.php file temporary and uploading it when needed could also work. The other support files should be quite harmless. I hope that makes sense -- I'll mark this feature request as "pending", meaning that it will be automatically closed in 14 days unless you repond to it. ---------------------------------------------------------------------- Comment By: Jürgen Hörmann (hoerj) Date: 2006-07-08 01:27 Message: Logged In: YES user_id=1551592 I can not agree. The effort to upload and delete the script is nothing compared to the security risk of this software. You should not deny the probability that there will always be other php scripts that have vulnerabilities. Those scripts might be exploited to include other files on the server. That way you can easyly bypass the .htaccess protection. That this scenario is not only a fiction is shown on your comment list on your "old" webpage. IMHO this script is mainly useful for installation and service tasks, jobs you only do from time to time. So the effort of uploading is negligible to me. The problem with the readability of the code coul be solved by making a development version that consists of multiple files that are only merged for the release version. It would be possible to make a setup routine that merges all files, too. ---------------------------------------------------------------------- Comment By: Tobias Unger (tobiasunger) Date: 2006-07-07 17:01 Message: Logged In: YES user_id=1432671 Hi, of course, software like this is also a safety risk, but I think this idea is very time-consuming. I think it is easyer and nearly as save as your idea to put the software into a directory protected by .htaccess (for a access control). Putting al the software in just one file would make this file less easy to understand. Tobias Unger (tobias-unger.de) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1518713&group_id=156638 |
