Menu
▾
▴
phpshell-commits — Read-only list wiht changes to the source code repository
You can subscribe to this list here.
| 2006 |
Jan
(9) |
Feb
(1) |
Mar
|
Apr
(3) |
May
(6) |
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <mge...@us...> - 2008-05-12 12:29:09
|
Revision: 33
http://phpshell.svn.sourceforge.net/phpshell/?rev=33&view=rev
Author: mgeisler
Date: 2008-05-12 05:29:17 -0700 (Mon, 12 May 2008)
Log Message:
-----------
Updated another URL to point to SF.
Modified Paths:
--------------
trunk/README
Modified: trunk/README
===================================================================
--- trunk/README 2008-05-12 12:20:15 UTC (rev 32)
+++ trunk/README 2008-05-12 12:29:17 UTC (rev 33)
@@ -1,5 +1,5 @@
README file for PHP Shell @VERSION@
-Copyright (C) 2000-2006 Martin Geisler <mge...@mg...>
+Copyright (C) 2000-2006, 2008 Martin Geisler <mge...@mg...>
Licensed under the GNU GPL. See the file COPYING for details.
What is PHP Shell?
@@ -126,7 +126,7 @@
You can download the newest version of PHP Shell from
- http://mgeisler.net/php-shell/
+ http://phpshell.sf.net/
The tarball/zipfile contains these files:
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mge...@us...> - 2008-05-12 12:20:08
|
Revision: 32
http://phpshell.svn.sourceforge.net/phpshell/?rev=32&view=rev
Author: mgeisler
Date: 2008-05-12 05:20:15 -0700 (Mon, 12 May 2008)
Log Message:
-----------
Updated webpage to the one hosted at SourceForge.
Modified Paths:
--------------
trunk/INSTALL
trunk/phpshell.php
trunk/pwhash.php
Modified: trunk/INSTALL
===================================================================
--- trunk/INSTALL 2008-05-12 12:09:09 UTC (rev 31)
+++ trunk/INSTALL 2008-05-12 12:20:15 UTC (rev 32)
@@ -1,14 +1,14 @@
INSTALL file for PHP Shell @VERSION@
-Copyright (C) 2000-2006 Martin Geisler <mge...@mg...>
+Copyright (C) 2000-2006, 2008 Martin Geisler <mge...@mg...>
Licensed under the GNU GPL. See the file COPYING for details.
Downloading PHP Shell
=====================
-You can always get the latest version of PHP Shell from my homepage:
+You can always get the latest version of PHP Shell from:
- http://mgeisler.net/php-shell/
+ http://phpshell.sf.net/
Modified: trunk/phpshell.php
===================================================================
--- trunk/phpshell.php 2008-05-12 12:09:09 UTC (rev 31)
+++ trunk/phpshell.php 2008-05-12 12:20:15 UTC (rev 32)
@@ -10,9 +10,9 @@
PHP Shell is an interactive PHP script that will execute any command
entered. See the files README, INSTALL, and SECURITY or
- http://mgeisler.net/php-shell/ for further information.
+ http://phpshell.sf.net/ for further information.
- Copyright (C) 2000-2006 Martin Geisler <mge...@mg...>
+ Copyright (C) 2000-2006, 2008 Martin Geisler <mge...@mg...>
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
@@ -69,7 +69,7 @@
Copyright © <a href="mailto:mge...@mg...">Martin
Geisler</a> and others, please see <a href="AUTHORS">AUTHORS</a>.
This is PHP Shell @VERSION@, get the latest version at <a
- href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>.
+ href="http://phpshell.sourceforge.net/">phpshell.sf.net</a>.
</address>
</body>
@@ -429,7 +429,7 @@
Copyright © <a href="mailto:mge...@mg...">Martin
Geisler</a> and others, please see <a href="AUTHORS">AUTHORS</a>.
This is PHP Shell @VERSION@, get the latest version at <a
- href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>.
+ href="http://phpshell.sourceforge.net/">phpshell.sf.net</a>.
</address>
</body>
Modified: trunk/pwhash.php
===================================================================
--- trunk/pwhash.php 2008-05-12 12:09:09 UTC (rev 31)
+++ trunk/pwhash.php 2008-05-12 12:20:15 UTC (rev 32)
@@ -1,7 +1,7 @@
<?php
/*
* pwhash.php file for PHP Shell @VERSION@
- * Copyright (C) 2005, 2006 Martin Geisler <mge...@mg...>
+ * Copyright (C) 2005, 2006, 2008 Martin Geisler <mge...@mg...>
* Licensed under the GNU GPL. See the file COPYING for details.
*
* $Rev$ $Date$
@@ -98,7 +98,7 @@
Copyright \xA9 <a href="mailto:mge...@mg...">Martin
Geisler</a> and others, please see <a href="AUTHORS">AUTHORS</a>.
This is PHP Shell @VERSION@, get the latest version at <a
- href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>.
+ href="http://phpshell.sourceforge.net/">phpshell.sf.net</a>.
</address>
</body>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mge...@us...> - 2008-05-12 12:09:03
|
Revision: 31
http://phpshell.svn.sourceforge.net/phpshell/?rev=31&view=rev
Author: mgeisler
Date: 2008-05-12 05:09:09 -0700 (Mon, 12 May 2008)
Log Message:
-----------
Added link to SourceForge.
Modified Paths:
--------------
web/htdocs/index.html
Modified: web/htdocs/index.html
===================================================================
--- web/htdocs/index.html 2008-05-12 12:05:40 UTC (rev 30)
+++ web/htdocs/index.html 2008-05-12 12:09:09 UTC (rev 31)
@@ -24,6 +24,13 @@
files around. All the normal command line programs like ps, free,
du, df, etc… can be used.</p>
+ <h2>Getting Help</h2>
+
+ <p>Please use the <a
+ href="http://sourceforge.net/projects/phpshell/">SourceForge
+ facilities</a> to obtain help on PHP Shell. You can submit bug
+ reports, join the mailing lists.</p>
+
<h2>Inherent Limitations</h2>
<p>There are some limitations on what kind of programs you can run.
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mge...@us...> - 2008-05-12 12:05:34
|
Revision: 30
http://phpshell.svn.sourceforge.net/phpshell/?rev=30&view=rev
Author: mgeisler
Date: 2008-05-12 05:05:40 -0700 (Mon, 12 May 2008)
Log Message:
-----------
Updated heading.
Modified Paths:
--------------
web/htdocs/index.html
Modified: web/htdocs/index.html
===================================================================
--- web/htdocs/index.html 2007-03-17 15:43:42 UTC (rev 29)
+++ web/htdocs/index.html 2008-05-12 12:05:40 UTC (rev 30)
@@ -24,7 +24,7 @@
files around. All the normal command line programs like ps, free,
du, df, etc… can be used.</p>
- <h2>Limitations</h2>
+ <h2>Inherent Limitations</h2>
<p>There are some limitations on what kind of programs you can run.
It won’t do no good if you start a graphical program like Firefox or
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mge...@us...> - 2007-03-18 13:35:03
|
Revision: 29
http://svn.sourceforge.net/phpshell/?rev=29&view=rev
Author: mgeisler
Date: 2007-03-17 08:43:42 -0700 (Sat, 17 Mar 2007)
Log Message:
-----------
Added a basic webpage for PHP Shell. This is currently just a copy of
the page at mgeisler.net.
Important: use the push-to-sf.sh script to sync the live page at
SourceForge after updating it in SVN.
Added Paths:
-----------
web/
web/htdocs/
web/htdocs/index.html
web/htdocs/style.css
web/push-to-sf.sh
Added: web/htdocs/index.html
===================================================================
--- web/htdocs/index.html (rev 0)
+++ web/htdocs/index.html 2007-03-17 15:43:42 UTC (rev 29)
@@ -0,0 +1,169 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+ PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" >
+
+<head>
+ <title>PHP Shell</title>
+ <link href="style.css" type="text/css" rel="stylesheet" />
+</head>
+
+<body>
+
+ <h1>PHP Shell</h1>
+
+ <p>PHP Shell is a shell wrapped in a PHP script. It’s a tool you can
+ use to execute arbitrary shell-commands or browse the filesystem on
+ your remote webserver. This replaces, to a degree, a normal telnet
+ connection, and to a lesser degree a SSH connection.</p>
+
+ <p>You use it for administration and maintenance of your website,
+ which is often much easier to do if you can work directly on the
+ server. For example, you could use PHP Shell to unpack and move big
+ files around. All the normal command line programs like ps, free,
+ du, df, etc… can be used.</p>
+
+ <h2>Limitations</h2>
+
+ <p>There are some limitations on what kind of programs you can run.
+ It won’t do no good if you start a graphical program like Firefox or
+ even a console based one like vi. All programs have to be strictly
+ command line programs, and they will have no chance of getting user
+ input after they have been launched.</p>
+
+ <p>They probably also have to terminate within 30 seconds, as this
+ is the default time-limit imposed unto all PHP scripts, to prevent
+ them from running in an infinite loop. Your ISP may have set this
+ time-limit to something else.</p>
+
+ <p>But you can rely on all the normal shell-functionality, like
+ pipes, output and input redirection, etc… (There is no
+ <tab>-completion, though :-)</p>
+
+ <h3>Safe Mode</h3>
+
+ <p>Safe Mode is the nemisis of PHP Shell. If PHP is running in Safe
+ Mode then PHP Shell will normally not work — sorry. Please read the
+ detailed explaination in the <tt>SECURITY</tt> file included in the
+ PHP Shell distribution.</p>
+
+
+ <h2>Installation</h2>
+
+ <p>PHP Shell is easy to install — download it and unpack it and
+ configure the password. This is done in <tt>config.php</tt>. Please
+ read the included <tt>INSTALL</tt> file for detailed
+ information.</p>
+
+
+ <h2>How to Use PHP Shell</h2>
+
+ <p>When you point your browser at PHP Shell you will be asked to
+ authenticate yourself. By default no username/password will work, so
+ please go read <tt>INSTALL</tt> for information about adding a
+ user.</p>
+
+ <p>You’re back? Good. Enter your username and password and press
+ “Login”.</p>
+
+ <p>You will then be presented with a rather simple page containing
+ nothing much except a big window with the cursor blinking at the
+ bottom, signaling that it’s ready to obey your commands.</p>
+
+ <p>Write a command and press <tt>RET</tt> — or alternatively, press
+ the ‘Execute Command’ button if you really want. The command will be
+ executed and the result will be shows in the terminal. You can now
+ enter another command.</p>
+
+ <p>To be more precise: the terminal is updated with the command line
+ you have just executed, the output of the command to standard out
+ (stdout), and following that any error output sent to stderr.</p>
+
+ <p>The commands are executed relative to a current working
+ directory, which is written at the top. You change this by the
+ normal ‘<tt>cd</tt>’ command.</p>
+
+
+ <h2>Donations</h2>
+
+ <p>Please consider donating if you have found PHP Shell useful: <a
+ href="http://sourceforge.net/donate/index.php?group_id=156638"><img
+ src="http://images.sourceforge.net/images/project-support.jpg"
+ alt="Support PHP Shell" border="0" height="32" width="88" /></a></p>
+
+
+ <h2>Download</h2>
+
+ <p>The latest version of PHP Shell is <b>2.1</b> from <b>December
+ 27, 2005</b>. Download it as</p>
+
+ <ul>
+ <li><a href="http://prdownloads.sourceforge.net/phpshell/phpshell-2.1.tar.bz2?download">phpshell-2.1.tar.bz2</a></li>
+ <li><a href="http://prdownloads.sourceforge.net/phpshell/phpshell-2.1.zip?download">phpshell-2.1.zip</a></li>
+ </ul>
+
+ <p>The tarball/zipfile contains these files:</p>
+
+ <ul>
+ <li>
+ <p><tt>phpshell.php</tt>: This is the script you run when you
+ use PHP Shell.</p>
+ </li>
+
+ <li>
+ <p><tt>config.php</tt>: Configuration file in the INI
+ format.</p>
+ </li>
+
+ <li>
+ <p><tt>pwhash.php</tt>: Password hashing script. This is used to
+ generate secure hashed passwords which you should use to prevent
+ others from getting to know your password by reading the
+ config.php file.</p>
+ </li>
+
+ <li>
+ <p><tt>ChangeLog</tt>: This file describe the changes I’ve made
+ to PHP Shell. By reading it you’ll always know when I’ve added a
+ new feature or made a bugfix, and the nature of the
+ feature/bugfix.</p>
+ </li>
+
+ <li>
+ <p><tt>README</tt>: Approximately this page.</p>
+ </li>
+
+ <li>
+ <p><tt>INSTALL</tt>: Tells you how to install PHP Shell. Amoung
+ other things, it explains how to change the password protection
+ so that you can use PHP Shell.</p>
+
+ <p>Remember that it’s very important to have PHP Shell password
+ protected, or else everybody will be able so snoop into your
+ files and perhaps also be able to delete them! Please take the
+ time to protect your installation of PHP Shell.</p>
+ </li>
+
+ <li>
+ <p><tt>SECURITY</tt>: A separate guide about security with PHP
+ in general and PHP Shell in particular. Be sure to read this
+ too, especially if you are getting strange errors back from PHP
+ Shell.</p>
+ </li>
+
+ <li>
+ <p><tt>COPYING</tt>: Standard GNU GPL.</p>
+ </li>
+
+ </ul>
+
+ <p>PHP Shell is kindly hosted by SourceForge: <a
+ href="http://sourceforge.net"><img
+ src="http://sflogo.sourceforge.net/sflogo.php?group_id=156638&type=4"
+ alt="SourceForge.net Logo" border="0" height="37" width="125"
+ /></a></p>
+
+</body>
+
+</html>
Added: web/htdocs/style.css
===================================================================
--- web/htdocs/style.css (rev 0)
+++ web/htdocs/style.css 2007-03-17 15:43:42 UTC (rev 29)
@@ -0,0 +1,26 @@
+
+html {
+ background-color: darkred;
+}
+
+body {
+ background-color: white;
+ font-family: sans-serif;
+ margin: 0em 5em 0em 5em;
+ padding: 2em;
+ text-align: justify;
+}
+
+h1 {
+ border-bottom: thick solid red;
+ margin-bottom: 0.1em;
+}
+
+
+h2 {
+ border-bottom: medium solid red;
+}
+
+a {
+ color: darkred;
+}
Added: web/push-to-sf.sh
===================================================================
--- web/push-to-sf.sh (rev 0)
+++ web/push-to-sf.sh 2007-03-17 15:43:42 UTC (rev 29)
@@ -0,0 +1,28 @@
+#!/bin/sh
+#
+# PHP Shell. A shell for command execution on your webserver.
+#
+# Copyright (C) 2007 Martin Geisler.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program in the file COPYING; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA
+
+# $Id: push-to-sf.sh 456 2006-11-18 00:08:06Z mgeisler $
+
+
+# This script logs into SourceForge with SSH and updates the
+# Subversion checkout holding the PHP Shell homepage.
+
+ssh shell.sourceforge.net 'svn update /home/groups/p/ph/phpshell'
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mge...@us...> - 2006-07-14 07:59:12
|
Revision: 28 Author: mgeisler Date: 2006-07-14 00:59:07 -0700 (Fri, 14 Jul 2006) ViewCVS: http://svn.sourceforge.net/phpshell/?rev=28&view=rev Log Message: ----------- Small formatting changes. Modified Paths: -------------- trunk/phpshell.php Modified: trunk/phpshell.php =================================================================== --- trunk/phpshell.php 2006-05-15 19:16:29 UTC (rev 27) +++ trunk/phpshell.php 2006-07-14 07:59:07 UTC (rev 28) @@ -30,8 +30,8 @@ 02110-1301 USA. */ -/* There are no user-configurable settings in this file anymore, - * please see config.php instead. */ +/* There are no user-configurable settings in this file, please see + * config.php instead. */ /* This error handler will turn all notices, warnings, and errors into @@ -311,7 +311,7 @@ document.shell.command.focus(); } - <?php } else { ?> + <?php } else { /* if not authenticated */ ?> function init() { document.shell.username.focus(); @@ -407,7 +407,7 @@ name="columns" size="2" maxlength="3" value="<?php echo $columns ?>"></span> -<input type="submit" value="Execute Command"> + <input type="submit" value="Execute Command"> <input type="submit" name="logout" value="Logout"> </p> @@ -417,7 +417,6 @@ </form> - <hr> <p>Please consult the <a href="README">README</a>, <a This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: Martin G. <mge...@us...> - 2006-07-12 21:27:45
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv32618 Removed Files: AUTHORS COPYING ChangeLog INSTALL SECURITY config.php phpshell.php pwhash.php style.css Log Message: How did these files come back?! I already deleted them on April 29th... At least I thought so, and Gmane says so too: http://article.gmane.org/gmane.comp.php.phpshell.cvs/13 Now, die you evil zombie files! :-) --- COPYING DELETED --- --- ChangeLog DELETED --- --- AUTHORS DELETED --- --- config.php DELETED --- --- style.css DELETED --- --- INSTALL DELETED --- --- pwhash.php DELETED --- --- phpshell.php DELETED --- --- SECURITY DELETED --- |
|
From: <mge...@us...> - 2006-05-15 19:16:34
|
Revision: 27 Author: mgeisler Date: 2006-05-15 12:16:29 -0700 (Mon, 15 May 2006) ViewCVS: http://svn.sourceforge.net/phpshell/?rev=27&view=rev Log Message: ----------- Updated information about bug reporting, pointing people to the SourceForge trackers instead of the discussion on my blog (which is getting way to big). Modified Paths: -------------- trunk/INSTALL Modified: trunk/INSTALL =================================================================== --- trunk/INSTALL 2006-05-15 19:11:22 UTC (rev 26) +++ trunk/INSTALL 2006-05-15 19:16:29 UTC (rev 27) @@ -93,6 +93,18 @@ Bugs? Comments? ================ -If you find a bug or miss something in PHP Shell, please don't -hesitate to mail me at <mge...@mg...>! Or you could drop by -and leave a comment at http://mgeisler.net/php-shell/. +If you find a bug or miss something in PHP Shell, please take a look +at the Tracker System at SourceForge: + + http://sourceforge.net/tracker/?group_id=156638 + +There you will find trackers for Bugs, Patches, and Feature Requests. +You are invited to add items to these so that they wont get lost. + +You can also email the development list, found at: + + https://lists.sourceforge.net/lists/listinfo/phpshell-devel + +This list is for discussion about all things PHP Shell and it is a +good place to discuss a feature or bug before adding it to one of the +SourceForge trackers. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <mge...@us...> - 2006-05-15 19:11:36
|
Revision: 26 Author: mgeisler Date: 2006-05-15 12:11:22 -0700 (Mon, 15 May 2006) ViewCVS: http://svn.sourceforge.net/phpshell/?rev=26&view=rev Log Message: ----------- Enable keyword expansion. Property Changed: ---------------- trunk/AUTHORS trunk/COPYING trunk/ChangeLog trunk/INSTALL trunk/README trunk/SECURITY trunk/config.php trunk/phpshell.php trunk/pwhash.php trunk/style.css Property changes on: trunk/AUTHORS ___________________________________________________________________ Name: svn:keywords + Revision Date Author Property changes on: trunk/COPYING ___________________________________________________________________ Name: svn:keywords + Revision Date Author Property changes on: trunk/ChangeLog ___________________________________________________________________ Name: svn:keywords + Revision Date Author Property changes on: trunk/INSTALL ___________________________________________________________________ Name: svn:keywords + Revision Date Author Property changes on: trunk/README ___________________________________________________________________ Name: svn:keywords + Revision Date Author Property changes on: trunk/SECURITY ___________________________________________________________________ Name: svn:keywords + Revision Date Author Property changes on: trunk/config.php ___________________________________________________________________ Name: svn:keywords + Revision Date Author Property changes on: trunk/phpshell.php ___________________________________________________________________ Name: svn:keywords + Revision Date Author Property changes on: trunk/pwhash.php ___________________________________________________________________ Name: svn:keywords + Revision Date Author Property changes on: trunk/style.css ___________________________________________________________________ Name: svn:keywords + Revision Date Author This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <mge...@us...> - 2006-05-15 19:08:22
|
Revision: 25 Author: mgeisler Date: 2006-05-15 12:08:12 -0700 (Mon, 15 May 2006) ViewCVS: http://svn.sourceforge.net/phpshell/?rev=25&view=rev Log Message: ----------- Add SVN keywords for revision and commit date. Modified Paths: -------------- trunk/phpshell.php trunk/pwhash.php Modified: trunk/phpshell.php =================================================================== --- trunk/phpshell.php 2006-05-07 22:52:30 UTC (rev 24) +++ trunk/phpshell.php 2006-05-15 19:08:12 UTC (rev 25) @@ -6,6 +6,8 @@ * PHP Shell @VERSION@ * ************************************************************** + $Rev$ $Date$ + PHP Shell is an interactive PHP script that will execute any command entered. See the files README, INSTALL, and SECURITY or http://mgeisler.net/php-shell/ for further information. Modified: trunk/pwhash.php =================================================================== --- trunk/pwhash.php 2006-05-07 22:52:30 UTC (rev 24) +++ trunk/pwhash.php 2006-05-15 19:08:12 UTC (rev 25) @@ -3,6 +3,8 @@ * pwhash.php file for PHP Shell @VERSION@ * Copyright (C) 2005, 2006 Martin Geisler <mge...@mg...> * Licensed under the GNU GPL. See the file COPYING for details. + * + * $Rev$ $Date$ */ This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <mge...@us...> - 2006-05-09 01:21:58
|
Revision: 23 Author: mgeisler Date: 2006-05-07 15:16:45 -0700 (Sun, 07 May 2006) ViewCVS: http://svn.sourceforge.net/phpshell/?rev=23&view=rev Log Message: ----------- Small note about the pwhash.php file. Modified Paths: -------------- trunk/README Modified: trunk/README =================================================================== --- trunk/README 2006-05-07 22:12:30 UTC (rev 22) +++ trunk/README 2006-05-07 22:16:45 UTC (rev 23) @@ -133,6 +133,10 @@ phpshell.php This is the script you run when you use PHP Shell. +pwhash.php + A utility used to generate a hashed password. Please read INSTALL + for more information. This file poses no security risk. + ChangeLog This file describe the changes I've made to PHP Shell. By reading it you'll always know when I've added a new feature or made a This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <mge...@us...> - 2006-05-09 01:21:55
|
Revision: 22 Author: mgeisler Date: 2006-05-07 15:12:30 -0700 (Sun, 07 May 2006) ViewCVS: http://svn.sourceforge.net/phpshell/?rev=22&view=rev Log Message: ----------- Included text on alternatives from patch #1398916 from SourceForge. This might not be the best place to put this, we will eventually move it to a webpage. Modified Paths: -------------- trunk/README Modified: trunk/README =================================================================== --- trunk/README 2006-04-29 13:19:47 UTC (rev 21) +++ trunk/README 2006-05-07 22:12:30 UTC (rev 22) @@ -96,6 +96,31 @@ command. +Alternatives +============ + +An incomplete list of alternatives to PHP Shell would be: + +* SSH. The Secure Shell is the standard solution to the problem that + PHP Shell tries to solve. SSH lets you login to a remote system in a + secure way where the traffic and password is encrypted at all + times. You can also upload and download files securely and make + encrypted TCP tunnels. + + If your host supports SSH then use it and forget about PHP Shell or + any other solution. + +* Telnet. This is the old way to obtain an interactive login on a + remote system. Unfortunately telnet is insecure since the password + and subsequent traffic are sent in clear text. SSH was developed + precisely to replace telnet. The advantage of telnet over PHP Shell + is that it gives you an interactive session. + +* See more alternatives at the Anyterm homepage: + + http://anyterm.org/compared.html + + Download ======== This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <mge...@us...> - 2006-05-09 00:46:49
|
Revision: 24 Author: mgeisler Date: 2006-05-07 15:52:30 -0700 (Sun, 07 May 2006) ViewCVS: http://svn.sourceforge.net/phpshell/?rev=24&view=rev Log Message: ----------- Added new configuration variable: safe-mode-warning. When running in Safe Mode a big warning will be displayed, unless this variable is set to false. Modified Paths: -------------- trunk/config.php trunk/phpshell.php trunk/style.css Modified: trunk/config.php =================================================================== --- trunk/config.php 2006-05-07 22:16:45 UTC (rev 23) +++ trunk/config.php 2006-05-07 22:52:30 UTC (rev 24) @@ -60,3 +60,10 @@ ; directory. home-directory = "." + +; Safe Mode warning. PHP Shell will normally display a big, fat +; warning if it detects that PHP is running in Safe Mode. If you find +; that PHP Shell works anyway, then set this to false to get rid of +; the warning. + +safe-mode-warning = true Modified: trunk/phpshell.php =================================================================== --- trunk/phpshell.php 2006-05-07 22:16:45 UTC (rev 23) +++ trunk/phpshell.php 2006-05-07 22:52:30 UTC (rev 24) @@ -126,7 +126,8 @@ /* Default settings --- these settings should always be set to * something. */ -$default_settings = array('home-directory' => '.'); +$default_settings = array('home-directory' => '.', + 'safe-mode-warning' => true); /* Merge settings. */ $ini['settings'] = array_merge($default_settings, $ini['settings']); @@ -357,6 +358,26 @@ <?php } else { /* Authenticated. */ ?> +<?php if ($ini['settings']['safe-mode-warning'] && ini_get('safe_mode')) { ?> + +<div class="warning"> + <p><b>Warning:</b> PHP is running in <a + href="http://php.net/features.safe-mode">Safe Mode</a>. This means + that PHP Shell is likely to <b>fail</b> in strange ways. See the <a + href="SECURITY">SECURITY</a> file for some background information + about Safe Mode and its effects on PHP Shell.</p> + + <p>Please note that there is nothing that PHP Shell can do to + deactivate Safe Mode. You will have to talk to your system + administrator about it.</p> + + <p>PHP Shell will try its best to carry on despite Safe Mode. You + can disable this warning by setting <code>safe-mode-warning</code> + to <code>false</code> in the configuration file.</p> +</div> + +<?php } /* Safe mode. */ ?> + <fieldset> <legend>Current Working Directory: <code><?php echo htmlspecialchars($_SESSION['cwd'], ENT_COMPAT, 'UTF-8'); Modified: trunk/style.css =================================================================== --- trunk/style.css 2006-05-07 22:16:45 UTC (rev 23) +++ trunk/style.css 2006-05-07 22:52:30 UTC (rev 24) @@ -58,3 +58,10 @@ .error { color: red; } + +div.warning { + background-color: rgb(255, 150, 150); + border: medium solid rgb(255, 60, 60); + padding: 0.5em; + margin: 0.25em; +} This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: Martin G. <mge...@us...> - 2006-04-29 13:28:20
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv7926 Modified Files: README Removed Files: AUTHORS COPYING ChangeLog INSTALL SECURITY config.php phpshell.php pwhash.php style.css Log Message: Removed files after the switch to Subversion. Please delete any CVS working copies you have and do a new checkout from Subversion. More information can be found here: http://sourceforge.net/svn/?group_id=156638 --- COPYING DELETED --- --- ChangeLog DELETED --- --- AUTHORS DELETED --- Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.9 retrieving revision 1.10 diff -u -d -r1.9 -r1.10 --- README 4 Feb 2006 15:10:13 -0000 1.9 +++ README 29 Apr 2006 13:28:12 -0000 1.10 @@ -1,135 +1,14 @@ -README file for PHP Shell @VERSION@ -Copyright (C) 2000-2006 Martin Geisler <mge...@mg...> -Licensed under the GNU GPL. See the file COPYING for details. - -What is PHP Shell? -================== - -PHP Shell is a shell wrapped in a PHP script. It's a tool you can use -to execute arbitrary shell-commands or browse the filesystem on your -remote webserver. This replaces, to a degree, a normal telnet -connection, and to a lesser degree a SSH connection. - -You use it for administration and maintenance of your website, which -is often much easier to do if you can work directly on the server. -For example, you could use PHP Shell to unpack and move big files -around. All the normal command line programs like ps, free, du, df, -etc... can be used. - - -Limitations -=========== - -There are some limitations on what kind of programs you can run. It -won't do no good if you start a graphical program like Firefox or even -a console based one like vi. All programs have to be strictly command -line programs, and they will have no chance of getting user input -after they have been lunched. - -They probably also have to terminate within 30 seconds, as this is the -default time-limit imposed unto all PHP scripts, to prevent them from -running in an infinite loop. Your ISP may have set this time-limit to -something else. - -But you can rely on all the normal shell-functionality, like pipes, -output and input redirection, etc... (There is no <tab>-completion, -though :-) - - -Safe Mode -========= - -Safe Mode is the nemisis of PHP Shell. If PHP is running in Safe Mode -then PHP Shell will normally not work --- sorry. Please read the -detailed explaination in the SECURITY file. +********************************************************************* +* CVS README for PHP Shell * +********************************************************************* -Who am I? -========= - -(Well, my name is Martin, but that's not the point :-) - -You may not be the same user when using PHP Shell, as you are when you -upload your files with FTP. On some systems you will be ``nobody``, -on other systems you will become ``httpd`` or ``www-data``. This is a -rather dangerous "feature" of the way PHP is run by the webserver. A -possible effect of this is that you might end up creating files using -PHP Shell which you cannot delete afterwards using FTP and maybe not -even using PHP Shell. Strange, but true :-) - -If you want to execute code as different user, then it's possible to -do so by using the Sudo program available from this address: - - http://www.courtesan.com/sudo/ - -The trick is to configure Sudo to allow the user running the webserver -to execute certain commands as a more privileged user. This will have -to be done by the administrator of the server. Please refer to the -documentation for Sudo for further information about doing this. - - -How to Use It -============= - -When you point your browser at PHP Shell you will be asked to -authenticate yourself. By default no username/password will work, so -please go read INSTALL for information about adding a user. - -You're back? Good. Enter your username and password and press the -"Login" button. - -You will then be presented with a rather simple page containing -nothing much except a big window with the cursor blinking at the -bottom, signaling that it's ready to obey your commands. - -Write a command and press RET --- or alternatively, press the 'Execute -Command' button if you really want. The command will be executed and -the result will be shows in the terminal. You can now enter another -command. - -To be more precise: the terminal is updated with the command line you -have just executed, the output of the command to standard out -(stdout), and following that any error output sent to stderr. - -The commands are executed relative to a current working directory, -which is written at the top. You change this by the normal 'cd' -command. - - -Download -======== - -You can download the newest version of PHP Shell from - - http://mgeisler.net/php-shell/ - -The tarball/zipfile contains these files: - -phpshell.php - This is the script you run when you use PHP Shell. - -ChangeLog - This file describe the changes I've made to PHP Shell. By reading - it you'll always know when I've added a new feature or made a - bugfix, and the nature of the feature/bugfix. - -README - This file! :-) - -INSTALL - Tells you how to install PHP Shell. Amoung other things, it - explains how to change the password protection so that you can use - PHP Shell. +As of April 29th 2006, PHP Shell has switched from CVS to Subversion. +Please checkout the Subversion repository instead. - Remember that it's very important to have PHP Shell password - protected, or else everybody will be able so snoop into your files - and perhaps also be able to delete them! Please take the time to - protect your installation of PHP Shell. +Information about accessing the new repository can be found here: -SECURITY - A separate guide about security with PHP in general and PHP Shell in - particular. Be sure to read this too, especially if you are getting - strange errors back from PHP Shell. + http://sourceforge.net/svn/?group_id=156638 -COPYING - Standard GNU GPL. +-- +Martin Geisler <mge...@mg...> --- config.php DELETED --- --- style.css DELETED --- --- INSTALL DELETED --- --- pwhash.php DELETED --- --- phpshell.php DELETED --- --- SECURITY DELETED --- |
|
From: <mge...@us...> - 2006-04-29 13:19:59
|
Revision: 21 Author: mgeisler Date: 2006-04-29 06:19:47 -0700 (Sat, 29 Apr 2006) ViewCVS: http://svn.sourceforge.net/phpshell/?rev=21&view=rev Log Message: ----------- Ups -- I have copied some text from my PHP Weather project without changing "phpweather" into "phpshell" :-) Modified Paths: -------------- trunk/INSTALL Modified: trunk/INSTALL =================================================================== --- trunk/INSTALL 2006-04-29 13:15:10 UTC (rev 20) +++ trunk/INSTALL 2006-04-29 13:19:47 UTC (rev 21) @@ -17,7 +17,7 @@ Installation is easy: first unpack the tarball or zipfile downloaded from the above website into your webserver. This will create a -subdirectory called phpweather-@VERSION@ for PHP Shell version @VERSION@. +subdirectory called phpshell-@VERSION@ for PHP Shell version @VERSION@. Try loading the file ``phpshell.php`` in your browser and check that you are served a page that asks you to authenticate yourself with a This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <mge...@us...> - 2006-04-29 13:15:38
|
Revision: 20 Author: mgeisler Date: 2006-04-29 06:15:10 -0700 (Sat, 29 Apr 2006) ViewCVS: http://svn.sourceforge.net/phpshell/?rev=20&view=rev Log Message: ----------- Updated footers with link to AUTHORS file and version info. Modified Paths: -------------- trunk/phpshell.php trunk/pwhash.php trunk/style.css Modified: trunk/phpshell.php =================================================================== --- trunk/phpshell.php 2006-04-29 11:27:55 UTC (rev 19) +++ trunk/phpshell.php 2006-04-29 13:15:10 UTC (rev 20) @@ -50,24 +50,25 @@ <link rel="stylesheet" href="style.css" type="text/css"> </head> <body> - <h1>Fatal Error!</h1> - <p><b>' . $errstr . '</b></p> - <p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p> - <hr> +<h1>Fatal Error!</h1> +<p><b>' . $errstr . '</b></p> +<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p> - <p>Please consult the <a href="README">README</a>, <a - href="INSTALL">INSTALL</a>, and <a href="SECURITY">SECURITY</a> files for - instruction on how to use PHP Shell.</p> +<hr> - <hr> +<p>Please consult the <a href="README">README</a>, +<a href="INSTALL">INSTALL</a>, and <a href="SECURITY">SECURITY</a> +files for instruction on how to use PHP Shell.</p> - <address> - Copyright © 2000–2005, <a - href="mailto:mge...@mg...">Martin Geisler</a>. Get the latest - version at <a +<hr> + +<address> + Copyright © <a href="mailto:mge...@mg...">Martin + Geisler</a> and others, please see <a href="AUTHORS">AUTHORS</a>. + This is PHP Shell @VERSION@, get the latest version at <a href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. - </address> +</address> </body> </html>'); @@ -403,9 +404,10 @@ <hr> <address> -By <a href="mailto:mge...@mg...">Martin Geisler</a>. Get the -latest version at <a -href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. + Copyright © <a href="mailto:mge...@mg...">Martin + Geisler</a> and others, please see <a href="AUTHORS">AUTHORS</a>. + This is PHP Shell @VERSION@, get the latest version at <a + href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. </address> </body> Modified: trunk/pwhash.php =================================================================== --- trunk/pwhash.php 2006-04-29 11:27:55 UTC (rev 19) +++ trunk/pwhash.php 2006-04-29 13:15:10 UTC (rev 20) @@ -93,9 +93,10 @@ <hr> <address> -By <a href="mailto:mge...@mg...">Martin Geisler</a>. Get the -latest version at <a -href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. + Copyright \xA9 <a href="mailto:mge...@mg...">Martin + Geisler</a> and others, please see <a href="AUTHORS">AUTHORS</a>. + This is PHP Shell @VERSION@, get the latest version at <a + href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. </address> </body> Modified: trunk/style.css =================================================================== --- trunk/style.css 2006-04-29 11:27:55 UTC (rev 19) +++ trunk/style.css 2006-04-29 13:15:10 UTC (rev 20) @@ -1,6 +1,8 @@ /* style.css file for PHP Shell @VERSION@ * Copyright (C) 2003-2006 Martin Geisler <mge...@mg...> * Licensed under the GNU GPL. See the file COPYING for details. + * + * $Rev$ $Date$ */ body { This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: Martin G. <mge...@us...> - 2006-02-04 15:10:28
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv14102 Modified Files: INSTALL README config.php phpshell.php Log Message: Reformatted text again. Index: phpshell.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.php,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- phpshell.php 13 Jan 2006 17:59:28 -0000 1.8 +++ phpshell.php 4 Feb 2006 15:10:14 -0000 1.9 @@ -12,10 +12,10 @@ Copyright (C) 2000-2006 Martin Geisler <mge...@mg...> - This program is free software; you can redistribute it and/or - modify it under the terms of the GNU General Public License - as published by the Free Software Foundation; either version 2 - of the License, or (at your option) any later version. + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -29,16 +29,17 @@ */ -/* There are no user-configurable settings in this file anymore, please see - * config.php instead. */ +/* There are no user-configurable settings in this file anymore, + * please see config.php instead. */ -/* This error handler will turn all notices, warnings, and errors into fatal - * errors, unless they have been suppressed with the @-operator. */ +/* This error handler will turn all notices, warnings, and errors into + * fatal errors, unless they have been suppressed with the + * @-operator. */ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { /* The @-opertor (used with chdir() below) temporarely makes - * error_reporting() return zero, and we don't want to die in that case. - * We do note the error in the output, though. */ + * error_reporting() return zero, and we don't want to die in that + * case. We do note the error in the output, though. */ if (error_reporting() == 0) { $_SESSION['output'] .= $errstr . "\n"; } else { @@ -63,7 +64,7 @@ <hr> <address> - Copyright © 2000–2005, <a + Copyright © 2000–2006, <a href="mailto:mge...@mg...">Martin Geisler</a>. Get the latest version at <a href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. @@ -74,23 +75,25 @@ } } -/* Installing our error handler makes PHP die on even the slightest problem. - * This is what we want in a security critical application like this. */ +/* Installing our error handler makes PHP die on even the slightest + * problem. This is what we want in a security critical application + * like this. */ set_error_handler('error_handler'); function logout() { - /* Empty the session data, except for the 'authenticated' entry which the - * rest of the code needs to be able to check. */ + /* Empty the session data, except for the 'authenticated' entry + * which the rest of the code needs to be able to check. */ $_SESSION = array('authenticated' => false); /* Unset the client's cookie, if it has one. */ // if (isset($_COOKIE[session_name()])) // setcookie(session_name(), '', time()-42000, '/'); - /* Destroy the session data on the server. This prevents the simple - * replay attach where one uses the back button to re-authenticate using - * the old POST data since the server wont know the session then.*/ + /* Destroy the session data on the server. This prevents the + * simple replay attach where one uses the back button to + * re-authenticate using the old POST data since the server wont + * know the session then.*/ // session_destroy(); } @@ -121,7 +124,8 @@ if (empty($ini['settings'])) $ini['settings'] = array(); -/* Default settings --- these settings should always be set to something. */ +/* Default settings --- these settings should always be set to + * something. */ $default_settings = array('home-directory' => '.'); /* Merge settings. */ @@ -130,9 +134,9 @@ session_start(); -/* Delete the session data if the user requested a logout. This leaves the - * session cookie at the user, but this is not important since we - * authenticates on $_SESSION['authenticated']. */ +/* Delete the session data if the user requested a logout. This + * leaves the session cookie at the user, but this is not important + * since we authenticates on $_SESSION['authenticated']. */ if (isset($_POST['logout'])) logout(); @@ -149,8 +153,8 @@ } -/* Enforce default non-authenticated state if the above code didn't set it - * already. */ +/* Enforce default non-authenticated state if the above code didn't + * set it already. */ if (!isset($_SESSION['authenticated'])) $_SESSION['authenticated'] = false; @@ -164,9 +168,10 @@ } if (!empty($command)) { - /* Save the command for late use in the JavaScript. If the command is - * already in the history, then the old entry is removed before the - * new entry is put into the list at the front. */ + /* Save the command for late use in the JavaScript. If the + * command is already in the history, then the old entry is + * removed before the new entry is put into the list at the + * front. */ if (($i = array_search($command, $_SESSION['history'])) !== false) unset($_SESSION['history'][$i]); @@ -179,8 +184,8 @@ if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $command)) { $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) { - /* The current command is a 'cd' command which we have to handle - * as an internal shell command. */ + /* The current command is a 'cd' command which we have to + * handle as an internal shell command. */ if ($regs[1]{0} == '/') { /* Absolute path, we use it unchanged. */ @@ -216,8 +221,8 @@ logout(); } else { - /* The command is not an internal command, so we execute it after - * changing the directory and save the output. */ + /* The command is not an internal command, so we execute + * it after changing the directory and save the output. */ chdir($_SESSION['cwd']); // We canot use putenv() in safe mode. @@ -321,10 +326,10 @@ <?php if (!$_SESSION['authenticated']) { - /* Genereate a new nounce every time we preent the login page. This binds - * each login to a unique hit on the server and prevents the simple replay - * attack where one uses the back button in the browser to replay the POST - * data from a login. */ + /* Genereate a new nounce every time we preent the login page. + * This binds each login to a unique hit on the server and + * prevents the simple replay attack where one uses the back + * button in the browser to replay the POST data from a login. */ $_SESSION['nounce'] = mt_rand(); ?> @@ -398,7 +403,7 @@ <hr> <address> -Copyright © 2000–2005, <a +Copyright © 2000–2006, <a href="mailto:mge...@mg...">Martin Geisler</a>. Get the latest version at <a href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- README 13 Jan 2006 17:59:28 -0000 1.8 +++ README 4 Feb 2006 15:10:13 -0000 1.9 @@ -1,42 +1,47 @@ README file for PHP Shell @VERSION@ -Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> +Copyright (C) 2000-2006 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. What is PHP Shell? ================== -PHP Shell is a shell wrapped in a PHP script. It's a tool you can use to -execute arbitrary shell-commands or browse the filesystem on your remote -webserver. This replaces, to a degree, a normal telnet-connection. +PHP Shell is a shell wrapped in a PHP script. It's a tool you can use +to execute arbitrary shell-commands or browse the filesystem on your +remote webserver. This replaces, to a degree, a normal telnet +connection, and to a lesser degree a SSH connection. -You use it for administration and maintenance of your website, which is often -much easier to do if you can work directly on the server. For example, you -could use PHP Shell to unpack and move big files around. All the normal -command line programs like ps, free, du, df, etc... can be used. +You use it for administration and maintenance of your website, which +is often much easier to do if you can work directly on the server. +For example, you could use PHP Shell to unpack and move big files +around. All the normal command line programs like ps, free, du, df, +etc... can be used. Limitations =========== -There are some limitations on what kind of programs you can run. It won't do -no good if you start a graphical program like Firefox or even a console based -one like vi. All programs have to be strictly command line programs, and they -will have no chance of getting user input after they have been lunched. +There are some limitations on what kind of programs you can run. It +won't do no good if you start a graphical program like Firefox or even +a console based one like vi. All programs have to be strictly command +line programs, and they will have no chance of getting user input +after they have been lunched. -They probably also have to terminate within 30 seconds, as this is the default -time-limit imposed unto all PHP scripts, to prevent them from running in an -infinite loop. Your ISP may have set this time-limit to something else. +They probably also have to terminate within 30 seconds, as this is the +default time-limit imposed unto all PHP scripts, to prevent them from +running in an infinite loop. Your ISP may have set this time-limit to +something else. -But you can rely on all the normal shell-functionality, like pipes, output and -input redirection, etc... (There is no <tab>-completion, though :-) +But you can rely on all the normal shell-functionality, like pipes, +output and input redirection, etc... (There is no <tab>-completion, +though :-) Safe Mode ========= -Safe Mode is the nemisis of PHP Shell. If PHP is running in Safe Mode then -PHP Shell will normally not work --- sorry. Please read the detailed -explaination in the SECURITY file. +Safe Mode is the nemisis of PHP Shell. If PHP is running in Safe Mode +then PHP Shell will normally not work --- sorry. Please read the +detailed explaination in the SECURITY file. Who am I? @@ -44,48 +49,51 @@ (Well, my name is Martin, but that's not the point :-) -You may not be the same user when using PHP Shell, as you are when you upload -your files with FTP. On some systems you will be ``nobody``, on other systems -you will become ``httpd`` or ``www-data``. This is a rather dangerous -"feature" of the way PHP is run by the webserver. A possible effect of this -is that you might end up creating files using PHP Shell which you cannot -delete afterwards using FTP and maybe not even using PHP Shell. Strange, but -true :-) +You may not be the same user when using PHP Shell, as you are when you +upload your files with FTP. On some systems you will be ``nobody``, +on other systems you will become ``httpd`` or ``www-data``. This is a +rather dangerous "feature" of the way PHP is run by the webserver. A +possible effect of this is that you might end up creating files using +PHP Shell which you cannot delete afterwards using FTP and maybe not +even using PHP Shell. Strange, but true :-) -If you want to execute code as different user, then it's possible to do so by -using the Sudo program available from this address: +If you want to execute code as different user, then it's possible to +do so by using the Sudo program available from this address: http://www.courtesan.com/sudo/ -The trick is to configure Sudo to allow the user running the webserver to -execute certain commands as a more privileged user. This will have to be done -by the administrator of the server. Please refer to the documentation for -Sudo for further information about doing this. +The trick is to configure Sudo to allow the user running the webserver +to execute certain commands as a more privileged user. This will have +to be done by the administrator of the server. Please refer to the +documentation for Sudo for further information about doing this. How to Use It ============= -When you point your browser at PHP Shell you will be asked to authenticate -yourself. By default no username/password will work, so please go read -INSTALL for information about adding a user. +When you point your browser at PHP Shell you will be asked to +authenticate yourself. By default no username/password will work, so +please go read INSTALL for information about adding a user. -You're back? Good. Enter your username and password and press "Login". +You're back? Good. Enter your username and password and press the +"Login" button. -You will then be presented with a rather simple page containing nothing much -except a big window with the cursor blinking at the bottom, signaling that -it's ready to obey your commands. +You will then be presented with a rather simple page containing +nothing much except a big window with the cursor blinking at the +bottom, signaling that it's ready to obey your commands. Write a command and press RET --- or alternatively, press the 'Execute -Command' button if you really want. The command will be executed and the -result will be shows in the terminal. You can now enter another command. +Command' button if you really want. The command will be executed and +the result will be shows in the terminal. You can now enter another +command. -To be more precise: the terminal is updated with the command line you have -just executed, the output of the command to standard out (stdout), and -following that any error output sent to stderr. +To be more precise: the terminal is updated with the command line you +have just executed, the output of the command to standard out +(stdout), and following that any error output sent to stderr. -The commands are executed relative to a current working directory, which is -written at the top. You change this by the normal 'cd' command. +The commands are executed relative to a current working directory, +which is written at the top. You change this by the normal 'cd' +command. Download @@ -101,26 +109,27 @@ This is the script you run when you use PHP Shell. ChangeLog - This file describe the changes I've made to PHP Shell. By reading it you'll - always know when I've added a new feature or made a bugfix, and the nature - of the feature/bugfix. + This file describe the changes I've made to PHP Shell. By reading + it you'll always know when I've added a new feature or made a + bugfix, and the nature of the feature/bugfix. README This file! :-) INSTALL - Tells you how to install PHP Shell. Amoung other things, it explains how to - change the password protection so that you can use PHP Shell. - - Remember that it's very important to have PHP Shell password protected, or - else everybody will be able so snoop into your files and perhaps also be - able to delete them! Please take the time to protect your installation of + Tells you how to install PHP Shell. Amoung other things, it + explains how to change the password protection so that you can use PHP Shell. + Remember that it's very important to have PHP Shell password + protected, or else everybody will be able so snoop into your files + and perhaps also be able to delete them! Please take the time to + protect your installation of PHP Shell. + SECURITY A separate guide about security with PHP in general and PHP Shell in - particular. Be sure to read this too, especially if you are getting strange - errors back from PHP Shell. + particular. Be sure to read this too, especially if you are getting + strange errors back from PHP Shell. COPYING Standard GNU GPL. Index: config.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/config.php,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- config.php 13 Jan 2006 17:59:28 -0000 1.2 +++ config.php 4 Feb 2006 15:10:14 -0000 1.3 @@ -1,4 +1,4 @@ -; <?php die('Forbidden'); ?> +; <?php die('Forbidden'); ?> -*- conf -*- ; Do not remove the above line, it prevents this file from being downloaded. ; ; config.php file for PHP Shell @VERSION@ @@ -7,8 +7,8 @@ ; This ini-file has three parts: ; -; * [users] where you add usernames and passwords to give users access to PHP -; Shell. +; * [users] where you add usernames and passwords to give users access +; to PHP Shell. ; ; * [aliases] where you can configure shell aliases. ; @@ -17,26 +17,32 @@ [users] -; The default configuration has no users defined, you have to add your own -; (choose good passwords!). Add uses as simple 'username = "password"' lines. -; Please quote your password using double-quotes as shown. The semi-colon ':' -; is a reserved character, so do *not* use that in your passwords. +; The default configuration has no users defined, you have to add your +; own (choose good passwords!). Add uses as simple ; -; For improved security it is *strongly suggested* that you the pwhash.php -; script to generate a hashed password and store that instead of the normal -; clear text password. Keeping your passwords in hashed form ensures that -; they cannot be found, even if this file is disclosed. The passwords are -; still visible in clear text during the login, though. Please follow the -; instructions given in pwhash.php. +; username = "password" +; +; lines. Please quote your password using double-quotes as shown. +; The semi-colon ':' is a reserved character, so do *not* use that in +; your passwords. +; +; For improved security it is *strongly suggested* that you the +; pwhash.php script to generate a hashed password and store that +; instead of the normal clear text password. Keeping your passwords +; in hashed form ensures that they cannot be found, even if this file +; is disclosed. The passwords are still visible in clear text during +; the login, though. Please follow the instructions given in +; pwhash.php. [aliases] ; Alias expansion. Change the two examples as needed and add your own -; favorites --- feel free to suggest more defaults! The command line you -; enter will only be expanded on the very first token and only once, so having -; 'ls' expand into 'ls -CvhF' does not cause an infinite recursion. +; favorites --- feel free to suggest more defaults! The command line +; you enter will only be expanded on the very first token and only +; once, so having 'ls' expand into 'ls -CvhF' does not cause an +; infinite recursion. ls = "ls -CvhF" ll = "ls -lvhF" @@ -47,8 +53,9 @@ ; General settings for PHP Shell. -; Home directory. PHP Shell will change to this directory upon startup and -; whenever a bare 'cd' command is given. This can be an absolute path or a -; path relative to the PHP Shell installation directory. +; Home directory. PHP Shell will change to this directory upon +; startup and whenever a bare 'cd' command is given. This can be an +; absolute path or a path relative to the PHP Shell installation +; directory. home-directory = "." Index: INSTALL =================================================================== RCS file: /cvsroot/phpshell/phpshell/INSTALL,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- INSTALL 13 Jan 2006 17:59:28 -0000 1.7 +++ INSTALL 4 Feb 2006 15:10:12 -0000 1.8 @@ -1,5 +1,5 @@ INSTALL file for PHP Shell @VERSION@ -Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> +Copyright (C) 2000-2006 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. @@ -15,63 +15,65 @@ Installation ============ -Installation is easy: first unpack the tarball or zipfile downloaded from the -above website into your webserver. This will create a subdirectory called -phpweather-@VERSION@ for PHP Shell version @VERSION@. +Installation is easy: first unpack the tarball or zipfile downloaded +from the above website into your webserver. This will create a +subdirectory called phpweather-@VERSION@ for PHP Shell version @VERSION@. -Try loading the file ``phpshell.php`` in your browser and check that you are -served a page that asks you to authenticate yourself with a username and a -password. If you do not see such a page, then please check that you have -entered the URL correctly and that PHP is working on your server. +Try loading the file ``phpshell.php`` in your browser and check that +you are served a page that asks you to authenticate yourself with a +username and a password. If you do not see such a page, then please +check that you have entered the URL correctly and that PHP is working +on your server. Configuration ============= -All configuration happens in the ``config.php`` file. This is an ini-file -dispite its name. Ini-files consist of a number of sections, each containing -a number of 'key = "value"' pairs. PHP Shell has tree sections: '[users]' for -configuring usernames and passwords, '[aliases]' for configuring shell -aliases, and '[settings]' for general settings. +All configuration happens in the ``config.php`` file. This is an +ini-file dispite its name. Ini-files consist of a number of sections, +each containing a number of 'key = "value"' pairs. PHP Shell has tree +sections: '[users]' for configuring usernames and passwords, +'[aliases]' for configuring shell aliases, and '[settings]' for +general settings. Setting Usernames and Passwords ------------------------------- -As a security precaution PHP Shell has no default username and password -(people often forget to change them...). To add the user "alice" with -password "secret" you simply add +As a security precaution PHP Shell has no default username and +password (people often forget to change them...). To add the user +"alice" with password "secret" you simply add [users] alice = "secret" -to the file. Note that you can add as many users as you want by simply adding -more lines like this. +to the file. Note that you can add as many users as you want by +simply adding more lines like this. -This system works, but there is a better way --- a way so that the password -does not appear in clear text in the file. For that you use the supplied -script ``pwhash.php`` to generate a hashed password. Please see the -instructions given in ``pwhash.php``. +This system works, but there is a better way --- a way so that the +password does not appear in clear text in the file. For that you use +the supplied script ``pwhash.php`` to generate a hashed password. +Please see the instructions given in ``pwhash.php``. With the above example the result could look like [users] alice = "md5:7ea3b59e:eb271c4459253eaa163fcac2a119f225" -You will not get exactly the same line if you try it out, this is a feature of -the system which means that both "alice" and "bob" could have "secret" as -their password, and you would not be able to tell from just looking at -``config.php``. +You will not get exactly the same line if you try it out, this is a +feature of the system which means that both "alice" and "bob" could +have "secret" as their password, and you would not be able to tell +from just looking at ``config.php``. Shell Aliases ------------- -As in a normal shell, PHP Shell supports alias expansion, albeit in a simple -form. Aliases are defined by 'key = "value"' pairs in the '[aliases]' -section. The "key" will be matched against the first token of the command -line and substituted with the "value" given. +As in a normal shell, PHP Shell supports alias expansion, albeit in a +simple form. Aliases are defined by 'key = "value"' pairs in the +'[aliases]' section. The "key" will be matched against the first +token of the command line and substituted with the "value" given. Two convenient aliases are already defined: @@ -83,14 +85,14 @@ General Settings ---------------- -PHP has just one other setting right now --- the home directory. Change this -in the '[settings]' section. +PHP has just one other setting right now --- the home directory. +Change this in the '[settings]' section. Bugs? Comments? ================ -If you find a bug or miss something in PHP Shell, please don't hesitate to -mail me at <mge...@mg...>! Or you could drop by and leave a comment -at http://mgeisler.net/php-shell/. +If you find a bug or miss something in PHP Shell, please don't +hesitate to mail me at <mge...@mg...>! Or you could drop by +and leave a comment at http://mgeisler.net/php-shell/. |
|
From: Martin G. <mge...@us...> - 2006-01-13 21:23:23
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv14845 Modified Files: COPYING Log Message: Updated with latest FSF address. Index: COPYING =================================================================== RCS file: /cvsroot/phpshell/phpshell/COPYING,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- COPYING 13 Jan 2006 16:58:45 -0000 1.1 +++ COPYING 13 Jan 2006 21:23:10 -0000 1.2 @@ -2,7 +2,7 @@ Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -55,7 +55,7 @@ The precise terms and conditions for copying, distribution and modification follow. - + GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION @@ -110,7 +110,7 @@ License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) - + These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in @@ -168,7 +168,7 @@ access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. - + 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is @@ -225,7 +225,7 @@ This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. - + 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License @@ -278,8 +278,8 @@ POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS - - Appendix: How to Apply These Terms to Your New Programs + + How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it @@ -291,7 +291,7 @@ the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> - Copyright (C) 19yy <name of author> + Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -305,14 +305,15 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: - Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. |
|
From: Martin G. <mge...@us...> - 2006-01-13 17:59:41
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv27628 Modified Files: AUTHORS INSTALL README SECURITY config.php phpshell.php pwhash.php style.css Log Message: Replaced the static version number with one we can update dynamically upon release. Reflowed paragraphs to a shorter line width. Index: AUTHORS =================================================================== RCS file: /cvsroot/phpshell/phpshell/AUTHORS,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- AUTHORS 13 Jan 2006 17:49:45 -0000 1.6 +++ AUTHORS 13 Jan 2006 17:59:28 -0000 1.7 @@ -1,4 +1,4 @@ -AUTHORS file for PHP Shell 2.1 +AUTHORS file for PHP Shell @VERSION@ Copyright (C) 2000-2004 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- README 13 Jan 2006 17:49:45 -0000 1.7 +++ README 13 Jan 2006 17:59:28 -0000 1.8 @@ -1,4 +1,4 @@ -README file for PHP Shell 2.1 +README file for PHP Shell @VERSION@ Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. Index: config.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/config.php,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- config.php 13 Jan 2006 17:49:45 -0000 1.1 +++ config.php 13 Jan 2006 17:59:28 -0000 1.2 @@ -1,54 +1,54 @@ -; <?php die('Forbidden'); ?> -; Do not remove the above line, it prevents this file from being downloaded. -; -; config.php file for PHP Shell 2.1 -; Copyright (C) 2005 Martin Geisler <mge...@mg...> -; Licensed under the GNU GPL. See the file COPYING for details. - -; This ini-file has three parts: -; -; * [users] where you add usernames and passwords to give users access to PHP -; Shell. -; -; * [aliases] where you can configure shell aliases. -; -; * [settings] where general settings are placed. - - -[users] - -; The default configuration has no users defined, you have to add your own -; (choose good passwords!). Add uses as simple 'username = "password"' lines. -; Please quote your password using double-quotes as shown. The semi-colon ':' -; is a reserved character, so do *not* use that in your passwords. -; -; For improved security it is *strongly suggested* that you the pwhash.php -; script to generate a hashed password and store that instead of the normal -; clear text password. Keeping your passwords in hashed form ensures that -; they cannot be found, even if this file is disclosed. The passwords are -; still visible in clear text during the login, though. Please follow the -; instructions given in pwhash.php. - - - -[aliases] - -; Alias expansion. Change the two examples as needed and add your own -; favorites --- feel free to suggest more defaults! The command line you -; enter will only be expanded on the very first token and only once, so having -; 'ls' expand into 'ls -CvhF' does not cause an infinite recursion. - -ls = "ls -CvhF" -ll = "ls -lvhF" - - - -[settings] - -; General settings for PHP Shell. - -; Home directory. PHP Shell will change to this directory upon startup and -; whenever a bare 'cd' command is given. This can be an absolute path or a -; path relative to the PHP Shell installation directory. - -home-directory = "." +; <?php die('Forbidden'); ?> +; Do not remove the above line, it prevents this file from being downloaded. +; +; config.php file for PHP Shell @VERSION@ +; Copyright (C) 2005, 2006 Martin Geisler <mge...@mg...> +; Licensed under the GNU GPL. See the file COPYING for details. + +; This ini-file has three parts: +; +; * [users] where you add usernames and passwords to give users access to PHP +; Shell. +; +; * [aliases] where you can configure shell aliases. +; +; * [settings] where general settings are placed. + + +[users] + +; The default configuration has no users defined, you have to add your own +; (choose good passwords!). Add uses as simple 'username = "password"' lines. +; Please quote your password using double-quotes as shown. The semi-colon ':' +; is a reserved character, so do *not* use that in your passwords. +; +; For improved security it is *strongly suggested* that you the pwhash.php +; script to generate a hashed password and store that instead of the normal +; clear text password. Keeping your passwords in hashed form ensures that +; they cannot be found, even if this file is disclosed. The passwords are +; still visible in clear text during the login, though. Please follow the +; instructions given in pwhash.php. + + + +[aliases] + +; Alias expansion. Change the two examples as needed and add your own +; favorites --- feel free to suggest more defaults! The command line you +; enter will only be expanded on the very first token and only once, so having +; 'ls' expand into 'ls -CvhF' does not cause an infinite recursion. + +ls = "ls -CvhF" +ll = "ls -lvhF" + + + +[settings] + +; General settings for PHP Shell. + +; Home directory. PHP Shell will change to this directory upon startup and +; whenever a bare 'cd' command is given. This can be an absolute path or a +; path relative to the PHP Shell installation directory. + +home-directory = "." Index: style.css =================================================================== RCS file: /cvsroot/phpshell/phpshell/style.css,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- style.css 13 Jan 2006 17:49:45 -0000 1.1 +++ style.css 13 Jan 2006 17:59:28 -0000 1.2 @@ -1,4 +1,4 @@ -/* style.css file for PHP Shell 2.1 +/* style.css file for PHP Shell @VERSION@ * Copyright (C) 2003-2005 Martin Geisler <mge...@mg...> * Licensed under the GNU GPL. See the file COPYING for details. */ Index: INSTALL =================================================================== RCS file: /cvsroot/phpshell/phpshell/INSTALL,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- INSTALL 13 Jan 2006 17:49:45 -0000 1.6 +++ INSTALL 13 Jan 2006 17:59:28 -0000 1.7 @@ -1,4 +1,4 @@ -INSTALL file for PHP Shell 2.1 +INSTALL file for PHP Shell @VERSION@ Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. @@ -17,7 +17,7 @@ Installation is easy: first unpack the tarball or zipfile downloaded from the above website into your webserver. This will create a subdirectory called -phpweather-2.1 for PHP Shell version 2.1. +phpweather-@VERSION@ for PHP Shell version @VERSION@. Try loading the file ``phpshell.php`` in your browser and check that you are served a page that asks you to authenticate yourself with a username and a Index: pwhash.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/pwhash.php,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- pwhash.php 13 Jan 2006 17:49:45 -0000 1.1 +++ pwhash.php 13 Jan 2006 17:59:28 -0000 1.2 @@ -1,6 +1,6 @@ <?php /* - * pwhash.php file for PHP Shell 2.1 + * pwhash.php file for PHP Shell @VERSION@ * Copyright (C) 2005 Martin Geisler <mge...@mg...> * Licensed under the GNU GPL. See the file COPYING for details. */ @@ -23,13 +23,13 @@ "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> - <title>Password Hasher for PHP Shell 2.1</title> + <title>Password Hasher for PHP Shell @VERSION@</title> <link rel="stylesheet" href="style.css" type="text/css"> </head> <body> -<h1>Password Hasher for PHP Shell 2.1</h1> +<h1>Password Hasher for PHP Shell @VERSION@</h1> <form action="<?php $_SERVER['PHP_SELF']; ?>" method="POST"> Index: phpshell.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.php,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- phpshell.php 13 Jan 2006 17:49:45 -0000 1.7 +++ phpshell.php 13 Jan 2006 17:59:28 -0000 1.8 @@ -3,14 +3,14 @@ /* ************************************************************** - * PHP Shell 2.1 * + * PHP Shell @VERSION@ * ************************************************************** PHP Shell is an interactive PHP script that will execute any command entered. See the files README, INSTALL, and SECURITY or http://mgeisler.net/php-shell/ for further information. - Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> + Copyright (C) 2000-2006 Martin Geisler <mge...@mg...> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License @@ -46,7 +46,7 @@ "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> - <title>PHP Shell 2.1</title> + <title>PHP Shell @VERSION@</title> <link rel="stylesheet" href="style.css" type="text/css"> </head> <body> @@ -270,7 +270,7 @@ "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> - <title>PHP Shell 2.1</title> + <title>PHP Shell @VERSION@</title> <link rel="stylesheet" href="style.css" type="text/css"> <script type="text/javascript"> @@ -315,7 +315,7 @@ <body onload="init()"> -<h1>PHP Shell 2.1</h1> +<h1>PHP Shell @VERSION@</h1> <form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post"> Index: SECURITY =================================================================== RCS file: /cvsroot/phpshell/phpshell/SECURITY,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- SECURITY 13 Jan 2006 17:49:45 -0000 1.1 +++ SECURITY 13 Jan 2006 17:59:28 -0000 1.2 @@ -1,89 +1,93 @@ -SECURITY file for PHP Shell 2.1 -Copyright (C) 2005 Martin Geisler <mge...@mg...> +SECURITY file for PHP Shell @VERSION@ +Copyright (C) 2005, 2006 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. PHP Security ============ -Installing PHP on your server is an inheriently dangerous thing to do, -somewhat similar to the danger one faces when one buys a car: it might kill -you if you have an accident. On the other hand a car makes so many things so -much more convenient, so most people are willing to accept the risk of -accidents. +Installing PHP on your server is an inherently dangerous thing to do, +somewhat similar to the danger one faces when one buys a car: it might +kill you if you have an accident. On the other hand a car makes so +many things so much more convenient, so most people are willing to +accept the risk of accidents. -Likewise, PHP is a powerful tool which will let you build your webpages easier -and faster than without. But it is a *very* powerful tool --- PHP is a full -programming language which can be used for general purpose programming and not -just to format HTML for display in a browser. +Likewise, PHP is a powerful tool which will let you build your +webpages easier and faster than without. But it is a *very* powerful +tool --- PHP is a full programming language which can be used for +general purpose programming and not just to format HTML for display in +a browser. -So PHP has support for reading and writing files on the filesystem. But PHP -also has support for *deleting* files. PHP even has support for executing -other programs. In other words, PHP has lots of support for interacting with -the rest of the computer it runs on. This interaction is potentially much -more powerful than you want it to, and this can be a problem if this power -ends up in the wrong hands. +So PHP has support for reading and writing files on the filesystem. +But PHP also has support for *deleting* files. PHP even has support +for executing other programs. In other words, PHP has lots of support +for interacting with the rest of the computer it runs on. This +interaction is potentially much more powerful than you want it to, and +this can be a problem if this power ends up in the wrong hands. What about Safe Mode? --------------------- -As they note in the PHP manual, Safe Mode is an inherently wrong way to secure -PHP, but is nevertheless used in many installations. Turning Safe Mode on in -PHP basically tries to restrict the language and its functions to make it -"safe". +As they note in the PHP manual, Safe Mode is an inherently wrong way +to secure PHP, but is nevertheless used in many installations. +Turning Safe Mode on in PHP basically tries to restrict the language +and its functions to make it "safe". -This involves a strict check on file ownership so that PHP wont operate on -files and directories which are not owned by the owner of the current script. -Other restrictions in Safe Mode include limits on which files can be executed -and includes (thus making a primitive form of chroot or jail around the PHP -script). +This involves a strict check on file ownership so that PHP wont +operate on files and directories which are not owned by the owner of +the current script. Other restrictions in Safe Mode include limits on +which files can be executed and includes (thus making a primitive form +of chroot or jail around the PHP script). PHP Shell is made mostly useless with Safe Mode since it restricts the two commands that PHP Shell uses: ``chdir()`` and ``proc_open()``: -* With Safe Mode you cannot change to a directory unless you are the owner of - that directory. This means that you cannot change to, say, ``/etc`` since - ``root`` own that directory. +* With Safe Mode you cannot change to a directory unless you are the + owner of that directory. This means that you cannot change to, say, + ``/etc`` since ``root`` own that directory. You'll see this when 'cd /etc' results in this error from PHP Shell: - chdir(): SAFE MODE Restriction in effect. The script whose uid is 500 is - not allowed to access /etc owned by uid 0 - cd: could not change to: /etc + chdir(): SAFE MODE Restriction in effect. The script whose uid is + 500 is not allowed to access /etc owned by uid 0 cd: could not + change to: /etc -* When Safe Mode is active, PHP forces the argument to ``proc_open()`` to be - escaped, which means that you cannot use normal shell wildcards, pipes or - any such stuff. +* When Safe Mode is active, PHP forces the argument to ``proc_open()`` + to be escaped, which means that you cannot use normal shell + wildcards, pipes or any such stuff. - So if you enter 'ls *.txt' in a directory where you know for certain that - there is a text file ending in '.txt', you will get the following error: + So if you enter 'ls *.txt' in a directory where you know for certain + that there is a text file ending in '.txt', you will get the + following error: /bin/ls: *.txt: No such file or directory - This is because PHP has silently changed the command into 'ls \*.txt' to - disable the wildcard. + This is because PHP has silently changed the command into 'ls + \*.txt' in order to disable the wildcard. There is nothing PHP + Shell can do about this. -* You cannot execute programs unless they are placed in a directory listed in - ``safe_mode_exec_dir``. Say you want to execute the program ``tr`` (which - translates between sets of characters) and you get this strange messages - back: +* You cannot execute programs unless they are placed in a directory + listed in ``safe_mode_exec_dir``. Say you want to execute the + program ``tr`` (which translates between sets of characters) and you + get this strange messages back: sh: line 1: /bin/tr: No such file or directory - Then you have a problem with the ``safe_mode_exec_dir`` setting. In this - case ``safe_mode_exec_dir`` is set to just ``/bin`` and so PHP has forced - the shell to execute ``/bin/tr`` and since ``tr`` is installed in - ``/usr/bin`` it could not be found. + Then you have a problem with the ``safe_mode_exec_dir`` setting. In + this case ``safe_mode_exec_dir`` is set to just ``/bin`` and so PHP + has forced the shell to execute ``/bin/tr`` and since ``tr`` is + installed in ``/usr/bin`` it could not be found. - If you have write access to a directory listed in ``safe_mode_exec_dir``, - then try copying the wanted program there first. Executing it should now - work. + If you have write access to a directory listed in + ``safe_mode_exec_dir``, then try copying the wanted program there + first. Executing it should now work. -Even without enabling Safe Mode some functions might have been disabled via -the ``disabled_functions`` setting. If the ``proc_open()`` function used by -PHP Shell has been disabled, then you will see an error like this: +Even without enabling Safe Mode some functions might have been +disabled via the ``disabled_functions`` setting. If the +``proc_open()`` function used by PHP Shell has been disabled, then you +will see an error like this: Fatal Error! @@ -96,40 +100,81 @@ PHP Shell Security ================== -As noted above, PHP is a powerful tool --- how does PHP Shell fit into this? -PHP Shell is actually quite simple and does one thing: it uses the standard -PHP function ``proc_open()`` to execute programs. +As noted above, PHP is a powerful tool --- how does PHP Shell fit into +this? PHP Shell is actually quite simple and does one thing: it uses +the standard PHP function ``proc_open()`` to execute programs. -Executing other programs is probably the most powerful thing you can do in -PHP, and so PHP Shell gives you a convenient interface to this the most -powerful feature of PHP. Nothing more. +Executing other programs is probably the most powerful thing you can +do in PHP, and so PHP Shell gives you a convenient interface to this +the most powerful feature of PHP. Nothing more. Is PHP Shell Dangerous? ----------------------- -Short answer: *yes*! PHP Shell has been used in the past by people with -not-so-good intentions to destroy valuable content on servers. +Short answer: *yes*! PHP Shell has been used in the past by people +with not-so-good intentions to destroy valuable content on servers. -The longer answer is that installing PHP Shell is like building a new door in -your house --- if you leave it unlocked, then people can (and probably will!) -walk into it and steal your posessions. So you want to lock it, and make sure -you use a good lock. +The longer answer is that installing PHP Shell is like building a new +door in your house --- if you leave it unlocked, then people can (and +probably will!) walk into it and steal your possessions. So you want +to lock it, and make sure you use a good lock. -With PHP Shell that is equivalent of using a secure password. A secure -password is one which is hard to guess (make it long, make it random, and put -both numbers, special characters and normal letters in it). +With PHP Shell that is equivalent of using a secure password. A +secure password is one which is hard to guess (make it long, make it +random, and put both numbers, special characters and normal letters in +it). - Remember that guessing the password is all that stands between the crackers - and your files! + Remember that guessing the password is all that stands between the + crackers and your files! -If you use a good password, then PHP Shell does not make your system any more -unsecure than it already was. Security is always a matter of finding the -weakest link in the chain: if you use FTP with a simple password for updating -your site, then it would be much easier for the crackers to attack that -instead of trying to guess your super-hard PHP Shell password. So make sure -that you tighten security on all fronts you know of. +If you use a good password, then PHP Shell does not make your system +any more insecure than it already was. Security is always a matter of +finding the weakest link in the chain: if you use FTP with a simple +password for updating your site, then it would be much easier for the +crackers to attack that instead of trying to guess your super-hard PHP +Shell password. So make sure that you tighten security on all fronts +you know of. +Other Threats +------------- + +Aside the obvious threat of someone guessing your password as +discussed above, there is another threat when using PHP Shell: all +communication is done in clear text! + +This means that anybody who is able to intercept the traffic between +your browser and the server will receive the password, all the +commands you type, and all the output of those commands. Using hashed +passwords makes no difference here, the password is still sent in the +clear and is only hashed after having arrived at the server. + +With a normal network setup your traffic will go through a number of +intermediate nodes before reaching its goal. For example, when my +browser sends the password, it has to go through no less than 15 +computers before reaching the server. Any of those computers could +potentially save the traffic for later analysis and so save the +password. + +So counter this threat you can establish an encrypted connection +between the browser and the server. This is called an SSL (Secure +Socket Layer) connection and one runs HTTPS (Secure HTTP) over it. + +Unfortunately you cannot just create such a connection without first +installing a SSL certificate on the server, something which the server +administrator will have to do for you. Furthermore, a real SSL +certificate costs money, and if you are willing to pay for such a +certificate, then you are probably also willing to pay for a quality +host which offers SSH access. + +So: SSL is the answer to the threat of eavesdropping, but if you have +SSL available, then you probably also have SSH available, and thus no +need for PHP Shell --- a funny chicken-and-egg problem :-) + + +Feedback +======== + If you have suggestions for improvements to this little guide in system security, then please do not hesitate to contact <mge...@mg...>. |
|
From: Martin G. <mge...@us...> - 2006-01-13 17:49:54
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv25902 Modified Files: AUTHORS ChangeLog INSTALL README phpshell.php Added Files: SECURITY config.php pwhash.php style.css Removed Files: phpshell.css release.sh valid-xhtml10.png vcss.png Log Message: Imported PHP Shell version 2.1. --- phpshell.css DELETED --- Index: ChangeLog =================================================================== RCS file: /cvsroot/phpshell/phpshell/ChangeLog,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- ChangeLog 13 Jan 2006 17:38:31 -0000 1.6 +++ ChangeLog 13 Jan 2006 17:49:45 -0000 1.7 @@ -1,4 +1,22 @@ -2004-03-27 Martin Geisler <gim...@gi...> +2005-12-27 Martin Geisler <mge...@mg...> + + * phpshell.php: + Added code to prevent simple replay attacks by only accepting each + login form once. + +2005-12-25 Martin Geisler <mge...@mg...> + + * INSTALL: Information about the new internal configuration. + + * phpshell.php: Made authentication internal. + + * SECURITY: New file. + + * config.php: New file. + + * style.css: New file. Renamed from phpshell.css. + +2004-03-27 Martin Geisler <mge...@mg...> * phpshell.php 1.29: Removed debug output. @@ -20,13 +38,13 @@ special cases are taken care of, and simple command substitution using aliases have been introduced. -2004-03-24 Martin Geisler <gim...@gi...> +2004-03-24 Martin Geisler <mge...@mg...> * phpshell.php 1.26: Increased year of copyright to 2004. Fixed the references to the PNG images, as pointed out by Michael Z. Bell. -2003-11-11 Martin Geisler <gim...@gi...> +2003-11-11 Martin Geisler <mge...@mg...> * AUTHORS 1.6: Added Wolfgang Dautermann <wol...@fh...>. @@ -41,7 +59,7 @@ Also, changing directory through symbolic links now works as expected, so that it's possible to go back using 'cd ..'. -2003-04-01 Martin Geisler <gim...@gi...> +2003-04-01 Martin Geisler <mge...@mg...> * INSTALL 1.4: New instructions on how to change the username and password. @@ -74,7 +92,7 @@ Applied patch from Michael Zech <ke...@we...> that made the stderr-checkbox remember it's state. -2002-09-18 Martin Geisler <gim...@gi...> +2002-09-18 Martin Geisler <mge...@mg...> * phpshell.php 1.18: Use the directory of phpshell.php as the default working directory. @@ -84,7 +102,7 @@ * phpshell.php 1.17: PHP Shell now works on PHP 4.2.0 with register_globals turned off. -2002-06-10 Martin Geisler <gim...@gi...> +2002-06-10 Martin Geisler <mge...@mg...> * INSTALL 1.3: Added a section about Safe Mode in PHP. @@ -92,7 +110,7 @@ Added a section about Safe Mode in PHP. Also fixed a lot of spelling errors. -2002-03-23 Martin Geisler <gim...@gi...> +2002-03-23 Martin Geisler <mge...@mg...> * README 1.8: Added a version number to the file. @@ -112,7 +130,7 @@ Added a tip from Jeremy Miller <JM...@ma...> about how to use PHP Shell together with Sudo to execute code as another user. -2001-12-10 Martin Geisler <gim...@gi...> +2001-12-10 Martin Geisler <mge...@mg...> * phpshell.php 1.13: I found out that 'ls -F' produced better output than 'ls -p'. @@ -126,7 +144,7 @@ * README 1.5: Updated the documentation a bit. -2001-02-11 Martin Geisler <gim...@gi...> +2001-02-11 Martin Geisler <mge...@mg...> * phpshell.php 1.11: Another suggestion from Thomas Langen <la...@la...>: some @@ -137,7 +155,7 @@ Expanded all PHP start-tags (<?) to <?php, as suggested by Thomas Langen <la...@la...>. -2000-11-20 Martin Geisler <gim...@gi...> +2000-11-20 Martin Geisler <mge...@mg...> * AUTHORS 1.1: New file. @@ -145,11 +163,11 @@ Applied a patch from ri...@jo... which fixed a problem with accessing the root-directory. -2000-09-24 Martin Geisler <gim...@gi...> +2000-09-24 Martin Geisler <mge...@mg...> * phpshell.php 1.8: Removed a debug-comment. -2000-09-09 Martin Geisler <gim...@gi...> +2000-09-09 Martin Geisler <mge...@mg...> * README 1.4: Expanded the brief explanation at the top. @@ -166,18 +184,18 @@ Removed 'Martin Geisler' from the title, putting my name on the bottom of the page ought to be enough :-) -2000-08-06 Martin Geisler <gim...@gi...> +2000-08-06 Martin Geisler <mge...@mg...> * phpshell.php 1.6: Added a link to gimpster.com at the bottom of the page -2000-08-05 Martin Geisler <gim...@gi...> +2000-08-05 Martin Geisler <mge...@mg...> * phpshell.php 1.5: Removed references to php3 - I now use php4 so all my files end with just a '.php' -2000-06-21 Martin Geisler <gim...@gi...> +2000-06-21 Martin Geisler <mge...@mg...> * phpshell.php 1.4: Fix - there were still references to the old name: shell.php3. Index: AUTHORS =================================================================== RCS file: /cvsroot/phpshell/phpshell/AUTHORS,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- AUTHORS 13 Jan 2006 17:34:25 -0000 1.5 +++ AUTHORS 13 Jan 2006 17:49:45 -0000 1.6 @@ -1,4 +1,9 @@ -Main author: Martin Geisler <gim...@gi...> -*- text -*- +AUTHORS file for PHP Shell 2.1 +Copyright (C) 2000-2004 Martin Geisler <mge...@mg...> +Licensed under the GNU GPL. See the file COPYING for details. + + +Main author: Martin Geisler <mge...@mg...> Thanks goes to all these persons who have helped: @@ -17,7 +22,7 @@ http://www.courtesan.com/sudo/ - to let PhpShell execute code with different privileges than the + to let PHP Shell execute code with different privileges than the webserver. Michael Zech <ke...@we...> --- vcss.png DELETED --- Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- README 13 Jan 2006 17:38:31 -0000 1.6 +++ README 13 Jan 2006 17:49:45 -0000 1.7 @@ -1,120 +1,126 @@ -README for PhpShell 2.0 -Copyright (C) 2000-2004 Martin Geisler <gim...@gi...> +README file for PHP Shell 2.1 +Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. -What is PhpShell? ------------------- -PhpShell is a shell wrapped in a PHP script. It's a tool you can use -to execute arbitrary shell-commands or browse the filesystem on your -remote webserver. This replaces, to a degree, a normal -telnet-connection. You can use it for transferring your site as a -compressed file, and then unpack it on the webserver, administration -and maintenance of your website using commands like ps, free, du, df -etc... +What is PHP Shell? +================== + +PHP Shell is a shell wrapped in a PHP script. It's a tool you can use to +execute arbitrary shell-commands or browse the filesystem on your remote +webserver. This replaces, to a degree, a normal telnet-connection. + +You use it for administration and maintenance of your website, which is often +much easier to do if you can work directly on the server. For example, you +could use PHP Shell to unpack and move big files around. All the normal +command line programs like ps, free, du, df, etc... can be used. Limitations ------------ -There are some limitations on what kind of programs you can run. It -won't do no good if you start something like Netscape or even vi. All -programs have to be strictly command-line programs, and they will have -no chance of getting user input after they have been lunched. They -probably also have to terminate within 30 seconds, as this is the -default time-limit imposed unto all PHP scripts, to prevent them from -running in an infinite loop. Your ISP may have set this time-limit to -something else. +=========== -But you can rely on all the normal shell-functionality, like pipes, -output and input redirection, etc... (There is no <tab>-completion, -though :-) +There are some limitations on what kind of programs you can run. It won't do +no good if you start a graphical program like Firefox or even a console based +one like vi. All programs have to be strictly command line programs, and they +will have no chance of getting user input after they have been lunched. +They probably also have to terminate within 30 seconds, as this is the default +time-limit imposed unto all PHP scripts, to prevent them from running in an +infinite loop. Your ISP may have set this time-limit to something else. -Safe Mode ---------- -If PHP is running in Safe Mode, then you cannot use PhpShell --- -sorry. Safe Mode restricts the commands that can be executed using -the shell_exec() call in PHP, and it also restricts the files and -directories that can be accessed using other calls in PHP. +But you can rely on all the normal shell-functionality, like pipes, output and +input redirection, etc... (There is no <tab>-completion, though :-) -The effect is, that PhpShell simply doesn't work --- you cannot -change directory and you cannot execute any commands. -Safe Mode is often used on servers that host several websites for -different users to limit the users ability to peek at each others -files. +Safe Mode +========= + +Safe Mode is the nemisis of PHP Shell. If PHP is running in Safe Mode then +PHP Shell will normally not work --- sorry. Please read the detailed +explaination in the SECURITY file. Who am I? ---------- +========= + (Well, my name is Martin, but that's not the point :-) -You may not be the same user when using PhpShell, as you are when you -upload your files with ftp. On some systems you will be 'nobody', on -other systems you will become 'httpd' or 'www-data'. This is a rather -dangerous "feature" of PhpShell! So use it at your own risk and -remember to choose a good password as described in the INSTALL file. +You may not be the same user when using PHP Shell, as you are when you upload +your files with FTP. On some systems you will be ``nobody``, on other systems +you will become ``httpd`` or ``www-data``. This is a rather dangerous +"feature" of the way PHP is run by the webserver. A possible effect of this +is that you might end up creating files using PHP Shell which you cannot +delete afterwards using FTP and maybe not even using PHP Shell. Strange, but +true :-) -If you want to execute code as different user, then it's possible to -do so by using the Sudo program available from this address: +If you want to execute code as different user, then it's possible to do so by +using the Sudo program available from this address: http://www.courtesan.com/sudo/ -The trick is to configure Sudo to allow the user running the webserver -to execute certain commands as a more privileged user. Please refer -to the documentation for Sudo for further information about doing -this. +The trick is to configure Sudo to allow the user running the webserver to +execute certain commands as a more privileged user. This will have to be done +by the administrator of the server. Please refer to the documentation for +Sudo for further information about doing this. How to Use It -------------- -When you point your browser at PhpShell and types in your password -(see the file INSTALL for more information on how to change the -password), you'll be presented with a rather simple page containing -nothing much except a big window with the cursor blinking at the -bottom, signaling that it's ready to obey your commands. +============= + +When you point your browser at PHP Shell you will be asked to authenticate +yourself. By default no username/password will work, so please go read +INSTALL for information about adding a user. + +You're back? Good. Enter your username and password and press "Login". + +You will then be presented with a rather simple page containing nothing much +except a big window with the cursor blinking at the bottom, signaling that +it's ready to obey your commands. Write a command and press RET --- or alternatively, press the 'Execute -Command' button if you insist. The command will be executed and the -result will be shows in the terminal. You can now enter another -command. +Command' button if you really want. The command will be executed and the +result will be shows in the terminal. You can now enter another command. -To be more precise: the terminal is updated with the command line you -have just executed, the output of the command to standard out (stdout) -and following that any error output sent to stderr. +To be more precise: the terminal is updated with the command line you have +just executed, the output of the command to standard out (stdout), and +following that any error output sent to stderr. -The commands are executed relative to a current working directory, -which is written at the top. You change this by the normal 'cd' -command. +The commands are executed relative to a current working directory, which is +written at the top. You change this by the normal 'cd' command. Download --------- -You can download PhpShell from http://www.gimpster.com/wiki/PhpShell. +======== + +You can download the newest version of PHP Shell from + + http://mgeisler.net/php-shell/ + The tarball/zipfile contains these files: phpshell.php - This is the script you run when you use PhpShell. + This is the script you run when you use PHP Shell. ChangeLog - This file describe the changes I've made to PhpShell. By reading - it you'll always know when I've added a new feature or made a - bugfix, and the nature of the feature/bugfix. + This file describe the changes I've made to PHP Shell. By reading it you'll + always know when I've added a new feature or made a bugfix, and the nature + of the feature/bugfix. README - This file :-) + This file! :-) INSTALL - Tells you how to install PhpShell. Amoung other things, it - explains how to change the password protection so that you can use - PhpShell. + Tells you how to install PHP Shell. Amoung other things, it explains how to + change the password protection so that you can use PHP Shell. - Remember that it's very important to have PhpShell password - protected, or else everybody will be able so snoop into your files - and perhaps also be able to delete them! I've already seen one site - that were using PhpShell without password-protection --- I was able - so quickly find their config.inc.php file from phpMyAdmin, and read - the password to the database! So please take the time to protect - PhpShell. + Remember that it's very important to have PHP Shell password protected, or + else everybody will be able so snoop into your files and perhaps also be + able to delete them! Please take the time to protect your installation of + PHP Shell. + +SECURITY + A separate guide about security with PHP in general and PHP Shell in + particular. Be sure to read this too, especially if you are getting strange + errors back from PHP Shell. COPYING - Standard GNU disclaimer. + Standard GNU GPL. --- NEW FILE: config.php --- ; <?php die('Forbidden'); ?> ; Do not remove the above line, it prevents this file from being downloaded. ; ; config.php file for PHP Shell 2.1 ; Copyright (C) 2005 Martin Geisler <mge...@mg...> ; Licensed under the GNU GPL. See the file COPYING for details. ; This ini-file has three parts: ; ; * [users] where you add usernames and passwords to give users access to PHP ; Shell. ; ; * [aliases] where you can configure shell aliases. ; ; * [settings] where general settings are placed. [users] ; The default configuration has no users defined, you have to add your own ; (choose good passwords!). Add uses as simple 'username = "password"' lines. ; Please quote your password using double-quotes as shown. The semi-colon ':' ; is a reserved character, so do *not* use that in your passwords. ; ; For improved security it is *strongly suggested* that you the pwhash.php ; script to generate a hashed password and store that instead of the normal ; clear text password. Keeping your passwords in hashed form ensures that ; they cannot be found, even if this file is disclosed. The passwords are ; still visible in clear text during the login, though. Please follow the ; instructions given in pwhash.php. [aliases] ; Alias expansion. Change the two examples as needed and add your own ; favorites --- feel free to suggest more defaults! The command line you ; enter will only be expanded on the very first token and only once, so having ; 'ls' expand into 'ls -CvhF' does not cause an infinite recursion. ls = "ls -CvhF" ll = "ls -lvhF" [settings] ; General settings for PHP Shell. ; Home directory. PHP Shell will change to this directory upon startup and ; whenever a bare 'cd' command is given. This can be an absolute path or a ; path relative to the PHP Shell installation directory. home-directory = "." --- NEW FILE: style.css --- /* style.css file for PHP Shell 2.1 * Copyright (C) 2003-2005 Martin Geisler <mge...@mg...> * Licensed under the GNU GPL. See the file COPYING for details. */ body { font-family: sans-serif; color: black; background: white; } h1 { color: red; background: white; } img { border: none; } div#terminal { border: inset 2px red; padding: 2px; margin-top: 0.5em; } div#terminal textarea { font-size: 100%; width: 100%; border: none; } p { margin-top: 0.5em; margin-bottom: 0.5em; } p#prompt { font-family: monospace; margin: 0px; } p#prompt input { border: none; font-family: monospace; } legend { padding-right: 0.5em; } fieldset { padding: 0.5em; } .error { color: red; } Index: INSTALL =================================================================== RCS file: /cvsroot/phpshell/phpshell/INSTALL,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- INSTALL 13 Jan 2006 17:38:31 -0000 1.5 +++ INSTALL 13 Jan 2006 17:49:45 -0000 1.6 @@ -1,76 +1,96 @@ -Installation instructions for PhpShell 2.0 -Copyright (C) 2000-2004 Martin Geisler <gim...@gi...> +INSTALL file for PHP Shell 2.1 +Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. -Getting the Tarball -------------------- -You can always get the latest version of PhpShell from my homepage: +Downloading PHP Shell +===================== + +You can always get the latest version of PHP Shell from my homepage: + + http://mgeisler.net/php-shell/ - http://www.gimpster.com/wiki/PhpShell Installation ------------- -Installation is easy: first unpack the tarball or zipfile downloaded -from the above website into your webserver. This will create a -subdirectory called phpweather-2.0 for PhpShell version 2.0. +============ -If you're using PhpShell on an Apache webserver running PHP as a -module, then PhpShell wont work until you've edited phpshell.php. You -can see this when you try and load the file phpshell.php from the -directory just created --- you should get a prompt from your browser -asking you to authenticate you. In the default setup, no username or -password will authenticate you, this what you'll have to change next. +Installation is easy: first unpack the tarball or zipfile downloaded from the +above website into your webserver. This will create a subdirectory called +phpweather-2.1 for PHP Shell version 2.1. -In the phpshell.php file you'll find comments near the top that -explains how to enable access for a username with a password. In -short, you'll simply add the pair as an entry in the $passwd array -like this: +Try loading the file ``phpshell.php`` in your browser and check that you are +served a page that asks you to authenticate yourself with a username and a +password. If you do not see such a page, then please check that you have +entered the URL correctly and that PHP is working on your server. - $passwd = array('username' => 'password'); -This can be expanded to multiple users with their own passwords in a -very simple way: - $passwd = array('username_1' => 'password_1', - 'username_2' => 'password_2', - // ... - 'username_n' => 'password_n'); +Configuration +============= -It is important that you password-protect PhpShell with a good -password. If someone is able to guess your password, then they'll -have access to your webserver over the Internet, and they might be -able to erase your files, and perhaps even shutdown the webserver! So -be careful with this and remember that you can always find the usual -disclaimer in the file LICENSE. +All configuration happens in the ``config.php`` file. This is an ini-file +dispite its name. Ini-files consist of a number of sections, each containing +a number of 'key = "value"' pairs. PHP Shell has tree sections: '[users]' for +configuring usernames and passwords, '[aliases]' for configuring shell +aliases, and '[settings]' for general settings. + + +Setting Usernames and Passwords +------------------------------- + +As a security precaution PHP Shell has no default username and password +(people often forget to change them...). To add the user "alice" with +password "secret" you simply add + + [users] + alice = "secret" + +to the file. Note that you can add as many users as you want by simply adding +more lines like this. + +This system works, but there is a better way --- a way so that the password +does not appear in clear text in the file. For that you use the supplied +script ``pwhash.php`` to generate a hashed password. Please see the +instructions given in ``pwhash.php``. + +With the above example the result could look like + + [users] + alice = "md5:7ea3b59e:eb271c4459253eaa163fcac2a119f225" + +You will not get exactly the same line if you try it out, this is a feature of +the system which means that both "alice" and "bob" could have "secret" as +their password, and you would not be able to tell from just looking at +``config.php``. Shell Aliases ------------- -As in a normal shell, PhpShell supports a simple form of aliases. -Simply edit the $aliases array at the top of phpshell.php. The keys -in the array are substituted for their corresponding values before the -commands are executed --- a couple of convenient aliases are already -defined: +As in a normal shell, PHP Shell supports alias expansion, albeit in a simple +form. Aliases are defined by 'key = "value"' pairs in the '[aliases]' +section. The "key" will be matched against the first token of the command +line and substituted with the "value" given. - $aliases = array('ls' => 'ls -CvhF', - 'll' => 'ls -lvhF'); +Two convenient aliases are already defined: + [aliases] + ls = "ls -CvhF" + ll = "ls -lvhF" -Safe Mode ---------- -PhpShell doesn't work if PHP is running in Safe Mode. There is -nothing I can do about this --- Safe Mode was made to prevent scripts -just like PhpShell. So if you're worried that people will be able to -destroy your website using a tool like PhpShell, then tell your -provider to enable Safe Mode as this makes PHP much less evil. +General Settings +---------------- -Bugs? ------ -If you find a bug or miss something in PhpShell, please don't hesitate -to mail me at <gim...@gi...>! +PHP has just one other setting right now --- the home directory. Change this +in the '[settings]' section. -Enjoy! - Martin Geisler <gim...@gi...> + + +Bugs? Comments? +================ + +If you find a bug or miss something in PHP Shell, please don't hesitate to +mail me at <mge...@mg...>! Or you could drop by and leave a comment +at http://mgeisler.net/php-shell/. --- NEW FILE: pwhash.php --- <?php /* * pwhash.php file for PHP Shell 2.1 * Copyright (C) 2005 Martin Geisler <mge...@mg...> * Licensed under the GNU GPL. See the file COPYING for details. */ function stripslashes_deep($value) { if (is_array($value)) return array_map('stripslashes_deep', $value); else return stripslashes($value); } if (get_magic_quotes_gpc()) $_POST = stripslashes_deep($_POST); $username = isset($_POST['username']) ? $_POST['username'] : ''; $password = isset($_POST['password']) ? $_POST['password'] : ''; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>Password Hasher for PHP Shell 2.1</title> <link rel="stylesheet" href="style.css" type="text/css"> </head> <body> <h1>Password Hasher for PHP Shell 2.1</h1> <form action="<?php $_SERVER['PHP_SELF']; ?>" method="POST"> <fieldset> <legend>Username</legend> <input name="username" type="text" value="<?php echo $username ?>"> </fieldset> <fieldset> <legend>Password</legend> <input name="password" type="text" value="<?php echo $password ?>"> </fieldset> <fieldset> <legend>Result</legend> <?php if ($username == '' || $password == '') { echo " <p><i>Enter a username and a password and update.</i></p>\n"; } else { $u = strtolower($username); if (preg_match('/[[ |&~!()]/', $u) || $u == 'null' || $u == 'yes' || $u == 'no' || $u == 'true' || $u == 'false') { echo ' <p class="error">Your username cannot contain any of the following reserved word: "<tt>null</tt>", "<tt>yes</tt>", "<tt>no</tt>", "<tt>true</tt>", or "<tt>false</tt>". The following characters are also prohibited: "<tt> </tt>" (space), "<tt>[</tt>" (left bracket), "<tt>|</tt>" (pipe), "<tt>&</tt>" (ampersand), "<tt>~</tt>" (tilde), "<tt>!</tt>" (exclamation mark), "<tt>(</tt>" (left parenthesis), or "<tt>)</tt>" (right parenthesis).</p>' . "\n"; echo ' <p>Please choose another username and try again.</p>' . "\n"; } else { echo " <p>Write the following line into <tt>config.php</tt> " . "in the <tt>users</tt> section:</p>\n"; $fkt = 'md5'; // Change to sha1 is you feel like it... $salt = dechex(mt_rand()); $hash = $fkt . ':' . $salt . ':' . $fkt($salt . $password); echo "<pre>\n"; echo htmlentities(str_pad($username, 8) . ' = "' . $hash . '"') . "\n"; echo "</pre>\n"; } } ?> <p><input type="submit" value="Update"></p> </fieldset> </form> <hr> <address> Copyright © 2005, <a href="mailto:mge...@mg...">Martin Geisler</a>. Get the latest version at <a href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. </address> </body> </html> Index: phpshell.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.php,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- phpshell.php 13 Jan 2006 17:38:31 -0000 1.6 +++ phpshell.php 13 Jan 2006 17:49:45 -0000 1.7 @@ -3,15 +3,14 @@ /* ************************************************************** - * PhpShell 2.0 * + * PHP Shell 2.1 * ************************************************************** - $Id$ - PhpShell is an interactive PHP script that will execute any command - entered. See the files README and INSTALL or - http://www.gimpster.com/wiki/PhpShell for further information. + PHP Shell is an interactive PHP script that will execute any command + entered. See the files README, INSTALL, and SECURITY or + http://mgeisler.net/php-shell/ for further information. - Copyright (C) 2000-2004 Martin Geisler <gim...@gi...> + Copyright (C) 2000-2005 Martin Geisler <mge...@mg...> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License @@ -30,157 +29,253 @@ */ -/* Set your usernames and passwords like this: +/* There are no user-configurable settings in this file anymore, please see + * config.php instead. */ - $passwd = array('username' => 'password'); - You can add several pairs of usernames and passwords to the array - to give several different people access to PhpShell. +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" + "http://www.w3.org/TR/html4/strict.dtd"> +<html> +<head> + <title>PHP Shell 2.1</title> + <link rel="stylesheet" href="style.css" type="text/css"> +</head> +<body> + <h1>Fatal Error!</h1> + <p><b>' . $errstr . '</b></p> + <p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p> - $passwd = array('username_1' => 'password_1', - 'username_2' => 'password_2', - // ... - 'username_n' => 'password_n'); + <hr> -*/ -$passwd = array(); + <p>Please consult the <a href="README">README</a>, <a + href="INSTALL">INSTALL</a>, and <a href="SECURITY">SECURITY</a> files for + instruction on how to use PHP Shell.</p> -/* Set your aliases here. Each key in the array will be substituted - * with the corresponding value before the commands are executed. */ -$aliases = array('ls' => 'ls -CvhF', - 'll' => 'ls -lvhF'); + <hr> -if (!isset($_SERVER['PHP_AUTH_USER']) || - !isset($_SERVER['PHP_AUTH_PW']) || - !isset($passwd[$_SERVER['PHP_AUTH_USER']]) || - $passwd[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW']) { - header('WWW-Authenticate: Basic realm="PhpShell 2.0"'); - header('HTTP/1.0 401 Unauthorized'); - $authenticated = false; -} else { - $authenticated = true; + <address> + Copyright © 2000–2005, <a + href="mailto:mge...@mg...">Martin Geisler</a>. Get the latest + version at <a + href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. + </address> - /* We now start the session. */ - session_start(); - - /* Initialize the session variables. */ - if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) { - $_SESSION['cwd'] = getcwd(); - $_SESSION['history'] = array(); - $_SESSION['output'] = ''; - } - - if (!empty($_REQUEST['command'])) { - if (get_magic_quotes_gpc()) { - /* We don't want to add the commands to the history in the - * escaped form, so we remove the backslashes now. */ - $_REQUEST['command'] = stripslashes($_REQUEST['command']); +</body> +</html>'); } +} - /* Save the command for late use in the JavaScript. If the - * command is already in the history, then the old entry is - * removed before the new entry is put into the list at the - * front. */ - if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== false) - unset($_SESSION['history'][$i]); - - array_unshift($_SESSION['history'], $_REQUEST['command']); +/* Installing our error handler makes PHP die on even the slightest problem. + * This is what we want in a security critical application like this. */ +set_error_handler('error_handler'); + + +function logout() { + /* Empty the session data, except for the 'authenticated' entry which the + * rest of the code needs to be able to check. */ + $_SESSION = array('authenticated' => false); + + /* Unset the client's cookie, if it has one. */ +// if (isset($_COOKIE[session_name()])) +// setcookie(session_name(), '', time()-42000, '/'); + + /* Destroy the session data on the server. This prevents the simple + * replay attach where one uses the back button to re-authenticate using + * the old POST data since the server wont know the session then.*/ +// session_destroy(); +} + + +function stripslashes_deep($value) { + if (is_array($value)) + return array_map('stripslashes_deep', $value); + else + return stripslashes($value); +} + +if (get_magic_quotes_gpc()) + $_POST = stripslashes_deep($_POST); + +/* Initialize some variables we need again and again. */ +$username = isset($_POST['username']) ? $_POST['username'] : ''; +$password = isset($_POST['password']) ? $_POST['password'] : ''; +$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; + +$command = isset($_POST['command']) ? $_POST['command'] : ''; +$rows = isset($_POST['rows']) ? $_POST['rows'] : 24; +$columns = isset($_POST['columns']) ? $_POST['columns'] : 80; + + +/* Load the configuration. */ +$ini = parse_ini_file('config.php', true); + +if (empty($ini['settings'])) + $ini['settings'] = array(); + +/* Default settings --- these settings should always be set to something. */ +$default_settings = array('home-directory' => '.'); + +/* Merge settings. */ +$ini['settings'] = array_merge($default_settings, $ini['settings']); + + +session_start(); + +/* Delete the session data if the user requested a logout. This leaves the + * session cookie at the user, but this is not important since we + * authenticates on $_SESSION['authenticated']. */ +if (isset($_POST['logout'])) + logout(); + +/* Attempt authentication. */ +if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && + isset($ini['users'][$username])) { + if (strchr($ini['users'][$username], ':') === false) { + // No seperator found, assume this is a password in clear text. + $_SESSION['authenticated'] = ($ini['users'][$username] == $password); + } else { + list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); + $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); + } +} + + +/* Enforce default non-authenticated state if the above code didn't set it + * already. */ +if (!isset($_SESSION['authenticated'])) + $_SESSION['authenticated'] = false; + + +if ($_SESSION['authenticated']) { + /* Initialize the session variables. */ + if (empty($_SESSION['cwd'])) { + $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); + $_SESSION['history'] = array(); + $_SESSION['output'] = ''; + } - /* Now append the commmand to the output. */ - $_SESSION['output'] .= '$ ' . $_REQUEST['command'] . "\n"; + if (!empty($command)) { + /* Save the command for late use in the JavaScript. If the command is + * already in the history, then the old entry is removed before the + * new entry is put into the list at the front. */ + if (($i = array_search($command, $_SESSION['history'])) !== false) + unset($_SESSION['history'][$i]); + + array_unshift($_SESSION['history'], $command); + + /* Now append the commmand to the output. */ + $_SESSION['output'] .= '$ ' . $command . "\n"; - /* Initialize the current working directory. */ - if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) { - $_SESSION['cwd'] = dirname(__FILE__); - } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) { - /* The current command is a 'cd' command which we have to handle - * as an internal shell command. */ + /* Initialize the current working directory. */ + if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $command)) { + $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); + } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) { + /* The current command is a 'cd' command which we have to handle + * as an internal shell command. */ - if ($regs[1][0] == '/') { - /* Absolute path, we use it unchanged. */ - $new_dir = $regs[1]; - } else { - /* Relative path, we append it to the current working - * directory. */ - $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; - } + if ($regs[1]{0} == '/') { + /* Absolute path, we use it unchanged. */ + $new_dir = $regs[1]; + } else { + /* Relative path, we append it to the current working + * directory. */ + $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; + } - /* Transform '/./' into '/' */ - while (strpos($new_dir, '/./') !== false) - $new_dir = str_replace('/./', '/', $new_dir); + /* Transform '/./' into '/' */ + while (strpos($new_dir, '/./') !== false) + $new_dir = str_replace('/./', '/', $new_dir); - /* Transform '//' into '/' */ - while (strpos($new_dir, '//') !== false) - $new_dir = str_replace('//', '/', $new_dir); + /* Transform '//' into '/' */ + while (strpos($new_dir, '//') !== false) + $new_dir = str_replace('//', '/', $new_dir); - /* Transform 'x/..' into '' */ - while (preg_match('|/\.\.(?!\.)|', $new_dir)) - $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); + /* Transform 'x/..' into '' */ + while (preg_match('|/\.\.(?!\.)|', $new_dir)) + $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); - if ($new_dir == '') $new_dir = '/'; + if ($new_dir == '') $new_dir = '/'; - /* Try to change directory. */ - if (@chdir($new_dir)) { - $_SESSION['cwd'] = $new_dir; - } else { - $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; - } + /* Try to change directory. */ + if (@chdir($new_dir)) { + $_SESSION['cwd'] = $new_dir; + } else { + $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; + } - } else { - /* The command is not a 'cd' command, so we execute it after - * changing the directory and save the output. */ - chdir($_SESSION['cwd']); + } elseif (trim($command) == 'exit') { + logout(); + } else { - /* Alias expansion. */ - $length = strcspn($_REQUEST['command'], " \t"); - $token = substr($_REQUEST['command'], 0, $length); - if (isset($aliases[$token])) - $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length); + /* The command is not an internal command, so we execute it after + * changing the directory and save the output. */ + chdir($_SESSION['cwd']); + + // We canot use putenv() in safe mode. + if (!ini_get('safe_mode')) { + // Advice programs (ls for example) of the terminal size. + putenv('ROWS=' . $rows); + putenv('COLUMNS=' . $columns); + } + + /* Alias expansion. */ + $length = strcspn($command, " \t"); + $token = substr($command, 0, $length); + if (isset($ini['aliases'][$token])) + $command = $ini['aliases'][$token] . substr($command, $length); - $p = proc_open($_REQUEST['command'], - array(1 => array('pipe', 'w'), - 2 => array('pipe', 'w')), - $io); + $io = array(); + $p = proc_open($command, + array(1 => array('pipe', 'w'), + 2 => array('pipe', 'w')), + $io); - /* Read output sent to stdout. */ - while (!feof($io[1])) { - $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), - ENT_COMPAT, 'UTF-8'); - } - /* Read output sent to stderr. */ - while (!feof($io[2])) { - $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), - ENT_COMPAT, 'UTF-8'); - } - - fclose($io[1]); - fclose($io[2]); - proc_close($p); + /* Read output sent to stdout. */ + while (!feof($io[1])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), + ENT_COMPAT, 'UTF-8'); + } + /* Read output sent to stderr. */ + while (!feof($io[2])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), + ENT_COMPAT, 'UTF-8'); + } + + fclose($io[1]); + fclose($io[2]); + proc_close($p); + } } - } - /* Build the command history for use in the JavaScript */ - if (empty($_SESSION['history'])) { - $js_command_hist = '""'; - } else { - $escaped = array_map('addslashes', $_SESSION['history']); - $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; - } + /* Build the command history for use in the JavaScript */ + if (empty($_SESSION['history'])) { + $js_command_hist = '""'; + } else { + $escaped = array_map('addslashes', $_SESSION['history']); + $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; + } } -header('Content-Type: text/html; charset=UTF-8'); -/* Since most installations still operate with short_open_tag enabled, - * we have to echo this string from within PHP: */ -echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n"; ?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" + "http://www.w3.org/TR/html4/strict.dtd"> +<html> <head> - <title>PhpShell 2.0</title> - <link rel="stylesheet" href="phpshell.css" type="text/css" /> + <title>PHP Shell 2.1</title> + <link rel="stylesheet" href="style.css" type="text/css"> + + <script type="text/javascript"> + <?php if ($_SESSION['authenticated']) { ?> - <script type="text/javascript" language="JavaScript"> var current_line = 0; var command_hist = new Array(<?php echo $js_command_hist ?>); var last = 0; @@ -202,86 +297,112 @@ } -function init() { - document.shell.setAttribute("autocomplete", "off"); - document.shell.output.scrollTop = document.shell.output.scrollHeight; - document.shell.command.focus(); -} + function init() { + document.shell.setAttribute("autocomplete", "off"); + document.shell.output.scrollTop = document.shell.output.scrollHeight; + document.shell.command.focus(); + } + + <?php } else { ?> + function init() { + document.shell.username.focus(); + } + + <?php } ?> </script> </head> <body onload="init()"> -<h1>PhpShell 2.0</h1> +<h1>PHP Shell 2.1</h1> -<?php if (!$authenticated) { ?> -<p>You failed to authenticate yourself to PhpShell. You can <a -href="<?php echo $_SERVER['PHP_SELF'] ?>">reload</a> to try again.</p> +<form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post"> -<p>Try reading the <a href="INSTALL">INSTALL</a> file if you're having -problems with installing PhpShell.</p> +<?php +if (!$_SESSION['authenticated']) { + /* Genereate a new nounce every time we preent the login page. This binds + * each login to a unique hit on the server and prevents the simple replay + * attack where one uses the back button in the browser to replay the POST + * data from a login. */ + $_SESSION['nounce'] = mt_rand(); -</body> -</html> +?> -<?php // ' <-- fix syntax highlight in Emacs - exit; -} +<fieldset> + <legend>Authentication</legend> -error_reporting (E_ALL); + <?php + if (!empty($username)) + echo ' <p class="error">Login failed, please try again:</p>' . "\n"; + else + echo " <p>Please login:</p>\n"; + ?> -if (empty($_REQUEST['rows'])) $_REQUEST['rows'] = 24; + <p>Username: <input name="username" type="text" value="<?php echo $username + ?>"></p> -?> + <p>Password: <input name="password" type="password"></p> -<p>Current Working Directory: <code><?php echo $_SESSION['cwd'] ?></code></p> + <p><input type="submit" value="Login"></p> -<form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post"> -<div> -<textarea name="output" readonly="readonly" cols="80" rows="<?php echo $_REQUEST['rows'] ?>"> + <input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce']; ?>"> + +</fieldset> + +<?php } else { /* Authenticated. */ ?> + +<fieldset> + <legend>Current Working Directory: <code><?php + echo htmlspecialchars($_SESSION['cwd'], ENT_COMPAT, 'UTF-8'); + ?></code></legend> + + +<div id="terminal"> +<textarea name="output" readonly="readonly" cols="<?php echo $columns ?>" rows="<?php echo $rows ?>"> <?php $lines = substr_count($_SESSION['output'], "\n"); -$padding = str_repeat("\n", max(0, $_REQUEST['rows']+1 - $lines)); +$padding = str_repeat("\n", max(0, $rows+1 - $lines)); echo rtrim($padding . $_SESSION['output']); ?> </textarea> -<p class="prompt"> - $ <input class="prompt" name="command" type="text" - onkeyup="key(event)" size="78" tabindex="1"> +<p id="prompt"> + $ <input name="command" type="text" + onkeyup="key(event)" size="<?php echo $columns-2 ?>" tabindex="1"> </p> </div> + <p> - <input type="submit" value="Execute Command" /> - <input type="submit" name="reset" value="Reset" /> - Rows: <input type="text" name="rows" value="<?php echo $_REQUEST['rows'] ?>" /> + <span style="float: right">Size: <input type="text" name="rows" size="2" + maxlength="3" value="<?php echo $rows ?>"> × <input type="text" + name="columns" size="2" maxlength="3" value="<?php echo $columns + ?>"></span> + +<input type="submit" value="Execute Command"> + <input type="submit" name="logout" value="Logout"> </p> + +</fieldset> + +<?php } ?> + </form> -<hr /> -<p>Please consult the <a href="README">README</a> and <a -href="INSTALL">INSTALL</a> files for instruction on how to use -PhpShell.</p> +<hr> -<hr /> +<p>Please consult the <a href="README">README</a>, <a +href="INSTALL">INSTALL</a>, and <a href="SECURITY">SECURITY</a> files for +instruction on how to use PHP Shell.</p> + +<hr> <address> -Copyright © 2000–2004, <a -href="mailto:gim...@gi...">Martin Geisler</a>. Get the +Copyright © 2000–2005, <a +href="mailto:mge...@mg...">Martin Geisler</a>. Get the latest version at <a -href="http://www.gimpster.com/wiki/PhpShell">www.gimpster.com/wiki/PhpShell</a>. +href="http://mgeisler.net/php-shell/">mgeisler.net/php-shell/</a>. </address> -<p> - <a href="http://validator.w3.org/check/referer"> - <img src="valid-xhtml10.png" alt="Valid XHTML 1.0 Strict!" - height="31" width="88" /> - </a> - <a href="http://jigsaw.w3.org/css-validator/check/referer"> - <img src="vcss.png" alt="Valid CSS!" width="88" height="31" /> - </a> -</p> - </body> </html> --- NEW FILE: SECURITY --- SECURITY file for PHP Shell 2.1 Copyright (C) 2005 Martin Geisler <mge...@mg...> Licensed under the GNU GPL. See the file COPYING for details. PHP Security ============ Installing PHP on your server is an inheriently dangerous thing to do, somewhat similar to the danger one faces when one buys a car: it might kill you if you have an accident. On the other hand a car makes so many things so much more convenient, so most people are willing to accept the risk of accidents. Likewise, PHP is a powerful tool which will let you build your webpages easier and faster than without. But it is a *very* powerful tool --- PHP is a full programming language which can be used for general purpose programming and not just to format HTML for display in a browser. So PHP has support for reading and writing files on the filesystem. But PHP also has support for *deleting* files. PHP even has support for executing other programs. In other words, PHP has lots of support for interacting with the rest of the computer it runs on. This interaction is potentially much more powerful than you want it to, and this can be a problem if this power ends up in the wrong hands. What about Safe Mode? --------------------- As they note in the PHP manual, Safe Mode is an inherently wrong way to secure PHP, but is nevertheless used in many installations. Turning Safe Mode on in PHP basically tries to restrict the language and its functions to make it "safe". This involves a strict check on file ownership so that PHP wont operate on files and directories which are not owned by the owner of the current script. Other restrictions in Safe Mode include limits on which files can be executed and includes (thus making a primitive form of chroot or jail around the PHP script). PHP Shell is made mostly useless with Safe Mode since it restricts the two commands that PHP Shell uses: ``chdir()`` and ``proc_open()``: * With Safe Mode you cannot change to a directory unless you are the owner of that directory. This means that you cannot change to, say, ``/etc`` since ``root`` own that directory. You'll see this when 'cd /etc' results in this error from PHP Shell: chdir(): SAFE MODE Restriction in effect. The script whose uid is 500 is not allowed to access /etc owned by uid 0 cd: could not change to: /etc * When Safe Mode is active, PHP forces the argument to ``proc_open()`` to be escaped, which means that you cannot use normal shell wildcards, pipes or any such stuff. So if you enter 'ls *.txt' in a directory where you know for certain that there is a text file ending in '.txt', you will get the following error: /bin/ls: *.txt: No such file or directory This is because PHP has silently changed the command into 'ls \*.txt' to disable the wildcard. * You cannot execute programs unless they are placed in a directory listed in ``safe_mode_exec_dir``. Say you want to execute the program ``tr`` (which translates between sets of characters) and you get this strange messages back: sh: line 1: /bin/tr: No such file or directory Then you have a problem with the ``safe_mode_exec_dir`` setting. In this case ``safe_mode_exec_dir`` is set to just ``/bin`` and so PHP has forced the shell to execute ``/bin/tr`` and since ``tr`` is installed in ``/usr/bin`` it could not be found. If you have write access to a directory listed in ``safe_mode_exec_dir``, then try copying the wanted program there first. Executing it should now work. Even without enabling Safe Mode some functions might have been disabled via the ``disabled_functions`` setting. If the ``proc_open()`` function used by PHP Shell has been disabled, then you will see an error like this: Fatal Error! proc_open() has been disabled for security reasons in /path/to/your/installation/phpshell.php, line 221. PHP Shell Security ================== As noted above, PHP is a powerful tool --- how does PHP Shell fit into this? PHP Shell is actually quite simple and does one thing: it uses the standard PHP function ``proc_open()`` to execute programs. Executing other programs is probably the most powerful thing you can do in PHP, and so PHP Shell gives you a convenient interface to this the most powerful feature of PHP. Nothing more. Is PHP Shell Dangerous? ----------------------- Short answer: *yes*! PHP Shell has been used in the past by people with not-so-good intentions to destroy valuable content on servers. The longer answer is that installing PHP Shell is like building a new door in your house --- if you leave it unlocked, then people can (and probably will!) walk into it and steal your posessions. So you want to lock it, and make sure you use a good lock. With PHP Shell that is equivalent of using a secure password. A secure password is one which is hard to guess (make it long, make it random, and put both numbers, special characters and normal letters in it). Remember that guessing the password is all that stands between the crackers and your files! If you use a good password, then PHP Shell does not make your system any more unsecure than it already was. Security is always a matter of finding the weakest link in the chain: if you use FTP with a simple password for updating your site, then it would be much easier for the crackers to attack that instead of trying to guess your super-hard PHP Shell password. So make sure that you tighten security on all fronts you know of. If you have suggestions for improvements to this little guide in system security, then please do not hesitate to contact <mge...@mg...>. --- release.sh DELETED --- --- valid-xhtml10.png DELETED --- |
|
From: Martin G. <mge...@us...> - 2006-01-13 17:38:39
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv23343 Modified Files: ChangeLog INSTALL README phpshell.css phpshell.php release.sh Log Message: Imported PHP Shell version 2.0. Index: ChangeLog =================================================================== RCS file: /cvsroot/phpshell/phpshell/ChangeLog,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- ChangeLog 13 Jan 2006 17:34:25 -0000 1.5 +++ ChangeLog 13 Jan 2006 17:38:31 -0000 1.6 @@ -1,3 +1,31 @@ +2004-03-27 Martin Geisler <gim...@gi...> + + * phpshell.php 1.29: Removed debug output. + + * README 1.11: Updated documentation for new cool shell-like interface. + + * INSTALL 1.5: + Updated documentation about the command substitution using alises. + + * phpshell.css 1.2: + New styles to make the textarea and input box blend together. + + * phpshell.php 1.28: A little documentation for the alias feature. + + * phpshell.php 1.27: + The shell now looks and behaves much more like a real shell: the shell + now has a commandline history just like a real shell. + + The parsing of 'cd' commands have been rewritten so that even more + special cases are taken care of, and simple command substitution using + aliases have been introduced. + +2004-03-24 Martin Geisler <gim...@gi...> + + * phpshell.php 1.26: + Increased year of copyright to 2004. Fixed the references to the PNG + images, as pointed out by Michael Z. Bell. + 2003-11-11 Martin Geisler <gim...@gi...> * AUTHORS 1.6: Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- README 13 Jan 2006 17:34:25 -0000 1.5 +++ README 13 Jan 2006 17:38:31 -0000 1.6 @@ -1,5 +1,5 @@ -README for PhpShell 1.9 -Copyright (C) 2000-2003 Martin Geisler <gim...@gi...> +README for PhpShell 2.0 +Copyright (C) 2000-2004 Martin Geisler <gim...@gi...> Licensed under the GNU GPL. See the file COPYING for details. What is PhpShell? @@ -20,7 +20,7 @@ programs have to be strictly command-line programs, and they will have no chance of getting user input after they have been lunched. They probably also have to terminate within 30 seconds, as this is the -default time-limit imposed unto all PHP-scripts, to prevent them from +default time-limit imposed unto all PHP scripts, to prevent them from running in an infinite loop. Your ISP may have set this time-limit to something else. @@ -51,9 +51,8 @@ You may not be the same user when using PhpShell, as you are when you upload your files with ftp. On some systems you will be 'nobody', on other systems you will become 'httpd' or 'www-data'. This is a rather -dangerous "feature" of PhpShell! So use it at your own risk --- I -wont be responsible if your account is closed or something like that -happens. +dangerous "feature" of PhpShell! So use it at your own risk and +remember to choose a good password as described in the INSTALL file. If you want to execute code as different user, then it's possible to do so by using the Sudo program available from this address: @@ -66,47 +65,26 @@ this. -How to use it +How to Use It ------------- When you point your browser at PhpShell and types in your password (see the file INSTALL for more information on how to change the -password), you'll be presented with a rather simple page. It has the -following elements: - -The Command Input box: - Here you can type a command, and when you press the "Execute" button - the command will be executed in the current working directory. - - If your command is 'cd something', then it won't be executed like an - ordinary command --- the current working directory will be updated - instead. This works with both relative and absolute paths. - - And if your command is 'ls', then it will be changed to 'ls -F'. - This makes ls append indicators to the filenames: directories end with - a slash, executable files will end with an asterisk and so on. +password), you'll be presented with a rather simple page containing +nothing much except a big window with the cursor blinking at the +bottom, signaling that it's ready to obey your commands. -The current working directory: - This is the directory where all command are being executed. You can - use the dropdown-box to choose a new working directory. To quickly - jump toward the root of the filesystem, just click on one of the - links to jump to that directory. +Write a command and press RET --- or alternatively, press the 'Execute +Command' button if you insist. The command will be executed and the +result will be shows in the terminal. You can now enter another +command. -The Output - Here goes the output from your commands. You will be able to scroll - thought the box if the output is to large to fit inside. It is only - output to stdout that goes into the Output box. This can be rather - confusing, because then sometimes you just don't get any output. - I've made a workaround, that fixes the problem most of the time. If - you select "Enable stderr-trapping" your command <cmd> will be - executed this way: - - <cmd> 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/output.txt +To be more precise: the terminal is updated with the command line you +have just executed, the output of the command to standard out (stdout) +and following that any error output sent to stderr. - It is done by simply appending the arguments to your command. It - redirects all output from your command to a file, both stdout and - stderr. It then shows the file, and cleans things up when finished. - It's quick and dirty, and will only work if you haven't already - redirected the output. +The commands are executed relative to a current working directory, +which is written at the top. You change this by the normal 'cd' +command. Download @@ -126,7 +104,6 @@ This file :-) INSTALL - Tells you how to install PhpShell. Amoung other things, it explains how to change the password protection so that you can use PhpShell. @@ -140,4 +117,4 @@ PhpShell. COPYING - Standard GNU disclaimer + Standard GNU disclaimer. Index: phpshell.css =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.css,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- phpshell.css 13 Jan 2006 17:29:47 -0000 1.1 +++ phpshell.css 13 Jan 2006 17:38:31 -0000 1.2 @@ -12,9 +12,26 @@ } img { - border: 0; + border: none; } -legend { - font-weight: bold; +div { + border: inset 2px red; +} + +textarea { + width: 100%; + border: none; + padding: 2px 2px 0px; +} + +p.prompt { + font-family: monospace; + margin: 0px; + padding: 0px 2px 2px; +} + +input.prompt { + border: none; + font-family: monospace; } Index: INSTALL =================================================================== RCS file: /cvsroot/phpshell/phpshell/INSTALL,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- INSTALL 13 Jan 2006 17:34:25 -0000 1.4 +++ INSTALL 13 Jan 2006 17:38:31 -0000 1.5 @@ -1,19 +1,20 @@ -Installation instructions for PhpShell 1.9 -Copyright (C) 2000-2003 Martin Geisler <gim...@gi...> +Installation instructions for PhpShell 2.0 +Copyright (C) 2000-2004 Martin Geisler <gim...@gi...> Licensed under the GNU GPL. See the file COPYING for details. -Getting the tarball +Getting the Tarball ------------------- -You can always get the latest version from my homepage: +You can always get the latest version of PhpShell from my homepage: http://www.gimpster.com/wiki/PhpShell Installation ------------ -Installation is easy: first unpack the tarball or zipfile into your -webserver. This will create a subdirectory called phpweather-1.9. +Installation is easy: first unpack the tarball or zipfile downloaded +from the above website into your webserver. This will create a +subdirectory called phpweather-2.0 for PhpShell version 2.0. If you're using PhpShell on an Apache webserver running PHP as a module, then PhpShell wont work until you've edited phpshell.php. You @@ -29,20 +30,42 @@ $passwd = array('username' => 'password'); +This can be expanded to multiple users with their own passwords in a +very simple way: + + $passwd = array('username_1' => 'password_1', + 'username_2' => 'password_2', + // ... + 'username_n' => 'password_n'); + It is important that you password-protect PhpShell with a good password. If someone is able to guess your password, then they'll have access to your webserver over the Internet, and they might be able to erase your files, and perhaps even shutdown the webserver! So be careful with this and remember that you can always find the usual -disclaimer in the file LICENSE. (This software is licensed under GPL, -I'm not responsible if you blow things up, etc... :-) +disclaimer in the file LICENSE. + + +Shell Aliases +------------- + +As in a normal shell, PhpShell supports a simple form of aliases. +Simply edit the $aliases array at the top of phpshell.php. The keys +in the array are substituted for their corresponding values before the +commands are executed --- a couple of convenient aliases are already +defined: + + $aliases = array('ls' => 'ls -CvhF', + 'll' => 'ls -lvhF'); Safe Mode --------- PhpShell doesn't work if PHP is running in Safe Mode. There is nothing I can do about this --- Safe Mode was made to prevent scripts -just like PhpShell. +just like PhpShell. So if you're worried that people will be able to +destroy your website using a tool like PhpShell, then tell your +provider to enable Safe Mode as this makes PHP much less evil. Bugs? Index: phpshell.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.php,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- phpshell.php 13 Jan 2006 17:34:25 -0000 1.5 +++ phpshell.php 13 Jan 2006 17:38:31 -0000 1.6 @@ -3,15 +3,15 @@ /* ************************************************************** - * PhpShell 1.9 * + * PhpShell 2.0 * ************************************************************** $Id$ - PhpShell is an interactive PHP-page that will execute any command + PhpShell is an interactive PHP script that will execute any command entered. See the files README and INSTALL or http://www.gimpster.com/wiki/PhpShell for further information. - Copyright (C) 2000-2003 Martin Geisler <gim...@gi...> + Copyright (C) 2000-2004 Martin Geisler <gim...@gi...> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License @@ -45,15 +45,127 @@ */ $passwd = array(); +/* Set your aliases here. Each key in the array will be substituted + * with the corresponding value before the commands are executed. */ +$aliases = array('ls' => 'ls -CvhF', + 'll' => 'ls -lvhF'); + if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($passwd[$_SERVER['PHP_AUTH_USER']]) || $passwd[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW']) { - header('WWW-Authenticate: Basic realm="PhpShell 1.9"'); + header('WWW-Authenticate: Basic realm="PhpShell 2.0"'); header('HTTP/1.0 401 Unauthorized'); $authenticated = false; } else { $authenticated = true; + + /* We now start the session. */ + session_start(); + + /* Initialize the session variables. */ + if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) { + $_SESSION['cwd'] = getcwd(); + $_SESSION['history'] = array(); + $_SESSION['output'] = ''; + } + + if (!empty($_REQUEST['command'])) { + if (get_magic_quotes_gpc()) { + /* We don't want to add the commands to the history in the + * escaped form, so we remove the backslashes now. */ + $_REQUEST['command'] = stripslashes($_REQUEST['command']); + } + + /* Save the command for late use in the JavaScript. If the + * command is already in the history, then the old entry is + * removed before the new entry is put into the list at the + * front. */ + if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== false) + unset($_SESSION['history'][$i]); + + array_unshift($_SESSION['history'], $_REQUEST['command']); + + /* Now append the commmand to the output. */ + $_SESSION['output'] .= '$ ' . $_REQUEST['command'] . "\n"; + + /* Initialize the current working directory. */ + if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) { + $_SESSION['cwd'] = dirname(__FILE__); + } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) { + /* The current command is a 'cd' command which we have to handle + * as an internal shell command. */ + + if ($regs[1][0] == '/') { + /* Absolute path, we use it unchanged. */ + $new_dir = $regs[1]; + } else { + /* Relative path, we append it to the current working + * directory. */ + $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; + } + + /* Transform '/./' into '/' */ + while (strpos($new_dir, '/./') !== false) + $new_dir = str_replace('/./', '/', $new_dir); + + /* Transform '//' into '/' */ + while (strpos($new_dir, '//') !== false) + $new_dir = str_replace('//', '/', $new_dir); + + /* Transform 'x/..' into '' */ + while (preg_match('|/\.\.(?!\.)|', $new_dir)) + $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); + + if ($new_dir == '') $new_dir = '/'; + + /* Try to change directory. */ + if (@chdir($new_dir)) { + $_SESSION['cwd'] = $new_dir; + } else { + $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; + } + + } else { + /* The command is not a 'cd' command, so we execute it after + * changing the directory and save the output. */ + chdir($_SESSION['cwd']); + + /* Alias expansion. */ + $length = strcspn($_REQUEST['command'], " \t"); + $token = substr($_REQUEST['command'], 0, $length); + if (isset($aliases[$token])) + $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length); + + $p = proc_open($_REQUEST['command'], + array(1 => array('pipe', 'w'), + 2 => array('pipe', 'w')), + $io); + + /* Read output sent to stdout. */ + while (!feof($io[1])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), + ENT_COMPAT, 'UTF-8'); + } + /* Read output sent to stderr. */ + while (!feof($io[2])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), + ENT_COMPAT, 'UTF-8'); + } + + fclose($io[1]); + fclose($io[2]); + proc_close($p); + } + } + + /* Build the command history for use in the JavaScript */ + if (empty($_SESSION['history'])) { + $js_command_hist = '""'; + } else { + $escaped = array_map('addslashes', $_SESSION['history']); + $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; + } } header('Content-Type: text/html; charset=UTF-8'); @@ -65,13 +177,43 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> - <title>PhpShell 1.9</title> + <title>PhpShell 2.0</title> <link rel="stylesheet" href="phpshell.css" type="text/css" /> + + <script type="text/javascript" language="JavaScript"> + var current_line = 0; + var command_hist = new Array(<?php echo $js_command_hist ?>); + var last = 0; + + function key(e) { + if (!e) var e = window.event; + + if (e.keyCode == 38 && current_line < command_hist.length-1) { + command_hist[current_line] = document.shell.command.value; + current_line++; + document.shell.command.value = command_hist[current_line]; + } + + if (e.keyCode == 40 && current_line > 0) { + command_hist[current_line] = document.shell.command.value; + current_line--; + document.shell.command.value = command_hist[current_line]; + } + + } + +function init() { + document.shell.setAttribute("autocomplete", "off"); + document.shell.output.scrollTop = document.shell.output.scrollHeight; + document.shell.command.focus(); +} + + </script> </head> -<body onload="document.forms[0].command.focus();"> +<body onload="init()"> -<h1>PhpShell 1.9</h1> +<h1>PhpShell 2.0</h1> <?php if (!$authenticated) { ?> <p>You failed to authenticate yourself to PhpShell. You can <a @@ -89,141 +231,43 @@ error_reporting (E_ALL); -$work_dir = empty($_REQUEST['work_dir']) ? '' : $_REQUEST['work_dir']; -$command = empty($_REQUEST['command']) ? '' : $_REQUEST['command']; -$stderr = empty($_REQUEST['stderr']) ? '' : $_REQUEST['stderr']; - -/* First we check if there has been asked for a working directory. */ -if ($work_dir != '') { - /* A workdir has been asked for */ - if ($command != '') { - if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) { - /* We try and match a cd command. */ - if ($regs[1][0] == '/') { - $new_dir = $regs[1]; // 'cd /something/...' - } else { - $new_dir = $work_dir . '/' . $regs[1]; // 'cd somedir/...' - $new_dir = str_replace('/./', '/', $new_dir); - $new_dir = preg_replace('|/?[^/]*/\.\.|', '$1', $new_dir); - } - if (file_exists($new_dir) && is_dir($new_dir)) { - $work_dir = $new_dir; - } - $command = ''; - } - } -} - -if ($work_dir != '' && file_exists($work_dir) && is_dir($work_dir)) { - /* We change directory to that dir: */ - chdir($work_dir); -} +if (empty($_REQUEST['rows'])) $_REQUEST['rows'] = 24; -/* We now update $work_dir to avoid things like '/foo/../bar': */ -if ($work_dir == '') $work_dir = getcwd(); ?> -<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post"> -<fieldset><legend>Input</legend> -<p>Current working directory: <b> -<?php - -$work_dir_splitted = explode('/', substr($work_dir, 1)); - -echo '<a href="' . $_SERVER['PHP_SELF'] . '?work_dir=/">Root</a>/'; - -if (!empty($work_dir_splitted[0])) { - $path = ''; - for ($i = 0; $i < count($work_dir_splitted); $i++) { - $path .= '/' . $work_dir_splitted[$i]; - printf('<a href="%s?work_dir=%s">%s</a>/', - $_SERVER['PHP_SELF'], - urlencode($path), - $work_dir_splitted[$i]); - } -} +<p>Current Working Directory: <code><?php echo $_SESSION['cwd'] ?></code></p> -?></b></p> -<p>Choose new working directory: -<select name="work_dir" onchange="this.form.submit()"> +<form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post"> +<div> +<textarea name="output" readonly="readonly" cols="80" rows="<?php echo $_REQUEST['rows'] ?>"> <?php -/* Now we make a list of the directories. */ -$dir_handle = opendir($work_dir); -/* We store the output so that we can sort it later: */ -$options = array(); -/* Run through all the files and directories to find the dirs. */ -while ($dir = readdir($dir_handle)) { - if (is_dir($dir)) { - if ($dir == '.') { - $options['.'] = "<option value=\"$work_dir\" selected=\"selected\">Current Directory</option>"; - } elseif ($dir == '..') { - /* We have found the parent dir. We must be carefull if the - * parent directory is the root directory (/). */ - if (strlen($work_dir) == 1) { - /* work_dir is only 1 charecter - it can only be / There's no - * parent directory then. */ - } elseif (strrpos($work_dir, '/') == 0) { - /* The last / in work_dir were the first charecter. This - * means that we have a top-level directory eg. /bin or /home - * etc... */ - $options['..'] = "<option value=\"/\">Parent Directory</option>"; - } else { - /* We do a little bit of string-manipulation to find the parent - * directory... Trust me - it works :-) */ - $options['..'] = "<option value=\"" . - strrev(substr(strstr(strrev($work_dir), "/"), 1)) . - "\">Parent Directory</option>"; - } - } else { - if ($work_dir == '/') { - $options[$dir] = "<option value=\"/$dir\">$dir</option>"; - } else { - $options[$dir] = "<option value=\"$work_dir/$dir\">$dir</option>"; - } - } - } -} -closedir($dir_handle); - -ksort($options); - -echo implode("\n", $options) - +$lines = substr_count($_SESSION['output'], "\n"); +$padding = str_repeat("\n", max(0, $_REQUEST['rows']+1 - $lines)); +echo rtrim($padding . $_SESSION['output']); ?> +</textarea> +<p class="prompt"> + $ <input class="prompt" name="command" type="text" + onkeyup="key(event)" size="78" tabindex="1"> +</p> +</div> +<p> + <input type="submit" value="Execute Command" /> + <input type="submit" name="reset" value="Reset" /> + Rows: <input type="text" name="rows" value="<?php echo $_REQUEST['rows'] ?>" /> +</p> +</form> -</select></p> - -<p>Command: <input type="text" name="command" size="60" /></p> - -<p>Enable <code>stderr</code>-trapping? <input type="checkbox" name="stderr" -<?php if ($stderr) echo "checked=\"checked\""; ?> /> <input name="submit_btn" type="submit" value="Execute Command" /></p> -</fieldset> - -<fieldset><legend>Output</legend> - -<p><textarea cols="80" rows="20" readonly="readonly"> -<?php -if (!empty($command)) { - if ($command == 'ls') { - /* ls looks much better with ' -F', IMHO. */ - $command .= ' -F'; - } - if ($stderr) { - $tmpfile = tempnam('/tmp', 'phpshell'); - $command .= " 1> $tmpfile 2>&1; cat $tmpfile; rm $tmpfile"; - } - echo htmlspecialchars(shell_exec($command), ENT_COMPAT, 'UTF-8'); -} -?> -</textarea></p> +<hr /> -</fieldset> -</form> +<p>Please consult the <a href="README">README</a> and <a +href="INSTALL">INSTALL</a> files for instruction on how to use +PhpShell.</p> <hr /> <address> -Copyright © 2000–2003, <a +Copyright © 2000–2004, <a href="mailto:gim...@gi...">Martin Geisler</a>. Get the latest version at <a href="http://www.gimpster.com/wiki/PhpShell">www.gimpster.com/wiki/PhpShell</a>. @@ -231,13 +275,11 @@ <p> <a href="http://validator.w3.org/check/referer"> - <img src="valid-xhtml10" alt="Valid XHTML 1.0 Strict!" + <img src="valid-xhtml10.png" alt="Valid XHTML 1.0 Strict!" height="31" width="88" /> </a> <a href="http://jigsaw.w3.org/css-validator/check/referer"> - <img src="http://jigsaw.w3.org/css-validator/images/vcss" - width="88" height="31" - alt="Valid CSS!" /> + <img src="vcss.png" alt="Valid CSS!" width="88" height="31" /> </a> </p> Index: release.sh =================================================================== RCS file: /cvsroot/phpshell/phpshell/release.sh,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- release.sh 13 Jan 2006 17:34:25 -0000 1.1 +++ release.sh 13 Jan 2006 17:38:31 -0000 1.2 @@ -2,7 +2,7 @@ #set -x -VERSION=1.9 +VERSION=2.0 echo "Releasing phpshell-$VERSION:" |
|
From: Martin G. <mge...@us...> - 2006-01-13 17:34:34
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22607 Modified Files: AUTHORS ChangeLog INSTALL README phpshell.php Added Files: release.sh Log Message: Imported PHP Shell version 1.9. Index: ChangeLog =================================================================== RCS file: /cvsroot/phpshell/phpshell/ChangeLog,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- ChangeLog 13 Jan 2006 17:29:47 -0000 1.4 +++ ChangeLog 13 Jan 2006 17:34:25 -0000 1.5 @@ -1,3 +1,18 @@ +2003-11-11 Martin Geisler <gim...@gi...> + + * AUTHORS 1.6: + Added Wolfgang Dautermann <wol...@fh...>. + + * phpshell.php 1.25: + Ups, I commited with $passwd = array('foo' => 'bar'). + + * phpshell.php 1.24: + Wolfgang Dautermann <wol...@fh...> suggested + that the directory list should be sorted. + + Also, changing directory through symbolic links now works as expected, + so that it's possible to go back using 'cd ..'. + 2003-04-01 Martin Geisler <gim...@gi...> * INSTALL 1.4: @@ -23,11 +38,6 @@ * phpshell.php 1.21: Added HTTP basic authentication to the script. - * .htaccess 1.2: - The .htaccess file will now prevent people from using phpshell.php on - new installations before they have either deleted it or changed the - path to the .htpasswd file. - * AUTHORS 1.5: Moved Jeremy Miller <JM...@ma...>. * phpshell.php 1.20: Updated version. @@ -122,7 +132,7 @@ * INSTALL 1.2: Made BUGS lowercase. - * .htaccess 1.1, INSTALL 1.1, README 1.1: New file. + * INSTALL 1.1, README 1.1: New file. * phpshell.php 1.7: Removed 'Martin Geisler' from the title, putting my name on the bottom Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- README 13 Jan 2006 17:29:47 -0000 1.4 +++ README 13 Jan 2006 17:34:25 -0000 1.5 @@ -1,4 +1,4 @@ -README for PhpShell 1.8 +README for PhpShell 1.9 Copyright (C) 2000-2003 Martin Geisler <gim...@gi...> Licensed under the GNU GPL. See the file COPYING for details. Index: INSTALL =================================================================== RCS file: /cvsroot/phpshell/phpshell/INSTALL,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- INSTALL 13 Jan 2006 17:29:47 -0000 1.3 +++ INSTALL 13 Jan 2006 17:34:25 -0000 1.4 @@ -1,4 +1,4 @@ -Installation instructions for PhpShell 1.8 +Installation instructions for PhpShell 1.9 Copyright (C) 2000-2003 Martin Geisler <gim...@gi...> Licensed under the GNU GPL. See the file COPYING for details. @@ -13,7 +13,7 @@ Installation ------------ Installation is easy: first unpack the tarball or zipfile into your -webserver. This will create a subdirectory called phpweather-1.8. +webserver. This will create a subdirectory called phpweather-1.9. If you're using PhpShell on an Apache webserver running PHP as a module, then PhpShell wont work until you've edited phpshell.php. You Index: AUTHORS =================================================================== RCS file: /cvsroot/phpshell/phpshell/AUTHORS,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- AUTHORS 13 Jan 2006 17:29:47 -0000 1.4 +++ AUTHORS 13 Jan 2006 17:34:25 -0000 1.5 @@ -1,4 +1,4 @@ -Main author: Martin Geisler <gim...@gi...> +Main author: Martin Geisler <gim...@gi...> -*- text -*- Thanks goes to all these persons who have helped: @@ -22,3 +22,7 @@ Michael Zech <ke...@we...> Patch to make the stderr-checkbox remember it's state. + +Wolfgang Dautermann <wol...@fh...> + Multiple patches, including the sorting of directory entries in the + drop down box. Index: phpshell.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.php,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- phpshell.php 13 Jan 2006 17:29:47 -0000 1.4 +++ phpshell.php 13 Jan 2006 17:34:25 -0000 1.5 @@ -3,11 +3,11 @@ /* ************************************************************** - * PhpShell 1.8 * + * PhpShell 1.9 * ************************************************************** $Id$ - PhpShell is aninteractive PHP-page that will execute any command + PhpShell is an interactive PHP-page that will execute any command entered. See the files README and INSTALL or http://www.gimpster.com/wiki/PhpShell for further information. @@ -30,8 +30,6 @@ */ -define('PHPSHELL_VERSION', '1.8'); - /* Set your usernames and passwords like this: $passwd = array('username' => 'password'); @@ -51,7 +49,7 @@ !isset($_SERVER['PHP_AUTH_PW']) || !isset($passwd[$_SERVER['PHP_AUTH_USER']]) || $passwd[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW']) { - header('WWW-Authenticate: Basic realm="PhpShell 1.8"'); + header('WWW-Authenticate: Basic realm="PhpShell 1.9"'); header('HTTP/1.0 401 Unauthorized'); $authenticated = false; } else { @@ -67,16 +65,17 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> - <title>PhpShell <?php echo PHPSHELL_VERSION ?></title> + <title>PhpShell 1.9</title> <link rel="stylesheet" href="phpshell.css" type="text/css" /> </head> -<body> -<h1>PhpShell <?php echo PHPSHELL_VERSION ?></h1> +<body onload="document.forms[0].command.focus();"> + +<h1>PhpShell 1.9</h1> <?php if (!$authenticated) { ?> <p>You failed to authenticate yourself to PhpShell. You can <a -href="phpshell.php">reload</a> to try again.</p> +href="<?php echo $_SERVER['PHP_SELF'] ?>">reload</a> to try again.</p> <p>Try reading the <a href="INSTALL">INSTALL</a> file if you're having problems with installing PhpShell.</p> @@ -84,9 +83,9 @@ </body> </html> -<?php exit; } //' <- fix syntax highlight... ?> - -<?php +<?php // ' <-- fix syntax highlight in Emacs + exit; +} error_reporting (E_ALL); @@ -104,6 +103,8 @@ $new_dir = $regs[1]; // 'cd /something/...' } else { $new_dir = $work_dir . '/' . $regs[1]; // 'cd somedir/...' + $new_dir = str_replace('/./', '/', $new_dir); + $new_dir = preg_replace('|/?[^/]*/\.\.|', '$1', $new_dir); } if (file_exists($new_dir) && is_dir($new_dir)) { $work_dir = $new_dir; @@ -119,8 +120,7 @@ } /* We now update $work_dir to avoid things like '/foo/../bar': */ -$work_dir = exec('pwd'); - +if ($work_dir == '') $work_dir = getcwd(); ?> <form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post"> @@ -149,11 +149,13 @@ <?php /* Now we make a list of the directories. */ $dir_handle = opendir($work_dir); +/* We store the output so that we can sort it later: */ +$options = array(); /* Run through all the files and directories to find the dirs. */ while ($dir = readdir($dir_handle)) { if (is_dir($dir)) { if ($dir == '.') { - echo "<option value=\"$work_dir\" selected=\"selected\">Current Directory</option>\n"; + $options['.'] = "<option value=\"$work_dir\" selected=\"selected\">Current Directory</option>"; } elseif ($dir == '..') { /* We have found the parent dir. We must be carefull if the * parent directory is the root directory (/). */ @@ -164,30 +166,35 @@ /* The last / in work_dir were the first charecter. This * means that we have a top-level directory eg. /bin or /home * etc... */ - echo "<option value=\"/\">Parent Directory</option>\n"; + $options['..'] = "<option value=\"/\">Parent Directory</option>"; } else { - /* We do a little bit of string-manipulation to find the parent - * directory... Trust me - it works :-) */ - echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"), 1)) ."\">Parent Directory</option>\n"; + /* We do a little bit of string-manipulation to find the parent + * directory... Trust me - it works :-) */ + $options['..'] = "<option value=\"" . + strrev(substr(strstr(strrev($work_dir), "/"), 1)) . + "\">Parent Directory</option>"; } } else { if ($work_dir == '/') { - echo "<option value=\"$work_dir$dir\">$dir</option>\n"; + $options[$dir] = "<option value=\"/$dir\">$dir</option>"; } else { - echo "<option value=\"$work_dir/$dir\">$dir</option>\n"; + $options[$dir] = "<option value=\"$work_dir/$dir\">$dir</option>"; } } } } closedir($dir_handle); +ksort($options); + +echo implode("\n", $options) + ?> </select></p> <p>Command: <input type="text" name="command" size="60" /></p> - <p>Enable <code>stderr</code>-trapping? <input type="checkbox" name="stderr" <?php if ($stderr) echo "checked=\"checked\""; ?> /> <input name="submit_btn" type="submit" value="Execute Command" /></p> </fieldset> @@ -197,12 +204,13 @@ <p><textarea cols="80" rows="20" readonly="readonly"> <?php if (!empty($command)) { + if ($command == 'ls') { + /* ls looks much better with ' -F', IMHO. */ + $command .= ' -F'; + } if ($stderr) { $tmpfile = tempnam('/tmp', 'phpshell'); $command .= " 1> $tmpfile 2>&1; cat $tmpfile; rm $tmpfile"; - } elseif ($command == 'ls') { - /* ls looks much better with ' -F', IMHO. */ - $command .= ' -F'; } echo htmlspecialchars(shell_exec($command), ENT_COMPAT, 'UTF-8'); } @@ -212,16 +220,14 @@ </fieldset> </form> -<script type="text/javascript"> -document.forms[0].command.focus(); -</script> - <hr /> -<address>Copyright © 2000–2003, <a -href="mailto:gim...@gi...">Martin Geisler</a>. Get the latest -version at <a -href="http://www.gimpster.com/">www.gimpster.com/wiki/PhpShell</a>.</address> +<address> +Copyright © 2000–2003, <a +href="mailto:gim...@gi...">Martin Geisler</a>. Get the +latest version at <a +href="http://www.gimpster.com/wiki/PhpShell">www.gimpster.com/wiki/PhpShell</a>. +</address> <p> <a href="http://validator.w3.org/check/referer"> --- NEW FILE: release.sh --- #!/bin/zsh #set -x VERSION=1.9 echo "Releasing phpshell-$VERSION:" cd .. cp -r phpshell phpshell-$VERSION cd phpshell-$VERSION rcs2log -v \ -u "gimpster Martin Geisler gim...@gi..." \ -u "martin Martin Geisler gim...@gi..." > ChangeLog for file in phpshell.php README INSTALL; do sed -e "s/@VERSION@/$VERSION/g" $file > $file.tmp mv -f $file.tmp $file done # Clean: rm -f release.sh *.~*~ rm -fr RCS chmod 644 * cd .. # We make tarballs: ~/bin/inp phpshell-$VERSION for file in phpshell-$VERSION.*; do cp $file phpshell-latest${file#phpshell-$VERSION} done ncftpput -f ~/.ncftp/gimpster.cfg -F /web/downloads/phpshell \ phpshell-$VERSION.* phpshell-latest.* phpshell-$VERSION/ChangeLog # Remove release directory: rm -rf phpshell-$VERSION |
|
From: Martin G. <mge...@us...> - 2006-01-13 17:30:02
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv21491 Modified Files: AUTHORS ChangeLog INSTALL README phpshell.php Added Files: phpshell.css valid-xhtml10.png vcss.png Removed Files: sample.htaccess Log Message: Imported PHP Shell version 1.8. Index: ChangeLog =================================================================== RCS file: /cvsroot/phpshell/phpshell/ChangeLog,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- ChangeLog 13 Jan 2006 17:23:34 -0000 1.3 +++ ChangeLog 13 Jan 2006 17:29:47 -0000 1.4 @@ -1,3 +1,41 @@ +2003-04-01 Martin Geisler <gim...@gi...> + + * INSTALL 1.4: + New instructions on how to change the username and password. + + * README 1.10: + Updated to be in sync with new instructions on how the password + protection works. + + * phpshell.css 1.1: New file. + + * phpshell.php 1.23: + Updated to use XHTML 1.0 Strict and the $_* variables in PHP + 4.1.0. This effectively breaks compatibility with earlier versions of + PHP. If you cannot upgrade your PHP installation (you really should + consider upgrading to get hold of the latest security and bug fixes) + when just use PhpShell version 1.7 --- there's no new functionality in + this release. + + * COPYING 1.1: New file. + + * phpshell.php 1.22: Changed PHP Shell into PhpShell. + + * phpshell.php 1.21: Added HTTP basic authentication to the script. + + * .htaccess 1.2: + The .htaccess file will now prevent people from using phpshell.php on + new installations before they have either deleted it or changed the + path to the .htpasswd file. + + * AUTHORS 1.5: Moved Jeremy Miller <JM...@ma...>. + + * phpshell.php 1.20: Updated version. + + * AUTHORS 1.4, phpshell.php 1.19: + Applied patch from Michael Zech <ke...@we...> that made the + stderr-checkbox remember it's state. + 2002-09-18 Martin Geisler <gim...@gi...> * phpshell.php 1.18: @@ -84,7 +122,7 @@ * INSTALL 1.2: Made BUGS lowercase. - * sample.htaccess 1.1, INSTALL 1.1, README 1.1: New file. + * .htaccess 1.1, INSTALL 1.1, README 1.1: New file. * phpshell.php 1.7: Removed 'Martin Geisler' from the title, putting my name on the bottom --- sample.htaccess DELETED --- --- NEW FILE: vcss.png --- (This appears to be a binary file; contents omitted.) Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- README 13 Jan 2006 17:23:34 -0000 1.3 +++ README 13 Jan 2006 17:29:47 -0000 1.4 @@ -1,42 +1,43 @@ -README for PHP Shell 1.7 -Copyright (C) 2000-2002 Martin Geisler <gim...@gi...> -Licensed under the GNU GPL. See the file COPYING for details. +README for PhpShell 1.8 +Copyright (C) 2000-2003 Martin Geisler <gim...@gi...> +Licensed under the GNU GPL. See the file COPYING for details. -What is PHP Shell? +What is PhpShell? ------------------ -PHP Shell is a shell wrapped in a PHP script. It's a tool you can use +PhpShell is a shell wrapped in a PHP script. It's a tool you can use to execute arbitrary shell-commands or browse the filesystem on your -remote webserver. This replaces, to a degree, a normal telnet-connection. -You can use it for transferring your site as a compressed file, and -then unpack it on the webserver, administration and maintenance of -your website using commands like ps, free, du, df etc... +remote webserver. This replaces, to a degree, a normal +telnet-connection. You can use it for transferring your site as a +compressed file, and then unpack it on the webserver, administration +and maintenance of your website using commands like ps, free, du, df +etc... Limitations ----------- -There are some limitations on what kind of programs you can run. It -won't do no good if you start something like Netscape or even vi. All +There are some limitations on what kind of programs you can run. It +won't do no good if you start something like Netscape or even vi. All programs have to be strictly command-line programs, and they will have -no chance of getting user input after they have been lunched. They -properly also have to terminate within 30 seconds, as this is the +no chance of getting user input after they have been lunched. They +probably also have to terminate within 30 seconds, as this is the default time-limit imposed unto all PHP-scripts, to prevent them from -running in an infinite loop. Your ISP may have set this time-limit to +running in an infinite loop. Your ISP may have set this time-limit to something else. But you can rely on all the normal shell-functionality, like pipes, -output and input redirection, etc ... (There is no <tab>-completion, +output and input redirection, etc... (There is no <tab>-completion, though :-) Safe Mode --------- -If PHP is running in Safe Mode, then you cannot use PHP Shell - sorry. -Safe Mode restricts the commands that can be executed using the -system() call in PHP, and it also restricts the files and directories -that can be accessed using other calls in PHP. +If PHP is running in Safe Mode, then you cannot use PhpShell --- +sorry. Safe Mode restricts the commands that can be executed using +the shell_exec() call in PHP, and it also restricts the files and +directories that can be accessed using other calls in PHP. -The effect is, that PHP Shell simply doesn't work - you cannot change -directory and you cannot execute any commands. +The effect is, that PhpShell simply doesn't work --- you cannot +change directory and you cannot execute any commands. Safe Mode is often used on servers that host several websites for different users to limit the users ability to peek at each others @@ -47,30 +48,29 @@ --------- (Well, my name is Martin, but that's not the point :-) -You may not be the same user when using PHP Shell, as you are when you -upload your files with ftp. On some systems you will be 'nobody', on -other systems you will become 'httpd' or 'www-data'. This is a rather -dangerous "feature" of PHP Shell! So use it at your own risk - I wont -be responsible if your account is closed or something like that +You may not be the same user when using PhpShell, as you are when you +upload your files with ftp. On some systems you will be 'nobody', on +other systems you will become 'httpd' or 'www-data'. This is a rather +dangerous "feature" of PhpShell! So use it at your own risk --- I +wont be responsible if your account is closed or something like that happens. -If you want to execute code as different user, then it's possible -to do so by using the Sudo program available from this address: +If you want to execute code as different user, then it's possible to +do so by using the Sudo program available from this address: http://www.courtesan.com/sudo/ The trick is to configure Sudo to allow the user running the webserver -to execute certain commands as a more privileged user. Please refer to -the documentation for Sudo for further information about doing this. -Thanks goes to Jeremy Miller <JM...@ma...> for this -information.</p> +to execute certain commands as a more privileged user. Please refer +to the documentation for Sudo for further information about doing +this. How to use it ------------- -When you point your browser at PHP Shell and types in your password -(see the file INSTALL for more information on how to password-protect -PHP Shell), you'll be presented with a rather simple page. It has the +When you point your browser at PhpShell and types in your password +(see the file INSTALL for more information on how to change the +password), you'll be presented with a rather simple page. It has the following elements: The Command Input box: @@ -78,68 +78,66 @@ the command will be executed in the current working directory. If your command is 'cd something', then it won't be executed like an - ordinary command - the current working directory will be updated - instead. This works with both relative and absolute paths. + ordinary command --- the current working directory will be updated + instead. This works with both relative and absolute paths. And if your command is 'ls', then it will be changed to 'ls -F'. This makes ls append indicators to the filenames: directories end with a slash, executable files will end with an asterisk and so on. The current working directory: - This is the directory where all command are being executed. You can - use the dropdown-box to choose a new working directory. To quickly - jump toward the root of the filesystem, just click on - one of the links to jump to that directory. + This is the directory where all command are being executed. You can + use the dropdown-box to choose a new working directory. To quickly + jump toward the root of the filesystem, just click on one of the + links to jump to that directory. The Output - Here goes the output from your commands. You will be able to scroll - thought the box if the output is to large to fit inside. - It is only output to stdout that goes into the Output box. This can - be rather confusing, because then sometimes you just don't get any - output. - I've made a workaround, that fixes the problem. If you select - "Enable stderr-trapping" your command <command> will be executed - this way: + Here goes the output from your commands. You will be able to scroll + thought the box if the output is to large to fit inside. It is only + output to stdout that goes into the Output box. This can be rather + confusing, because then sometimes you just don't get any output. + I've made a workaround, that fixes the problem most of the time. If + you select "Enable stderr-trapping" your command <cmd> will be + executed this way: - <command> 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/output.txt + <cmd> 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/output.txt - It is done by simply appending the arguments to your command. It + It is done by simply appending the arguments to your command. It redirects all output from your command to a file, both stdout and - stderr. It then shows the file, and cleans things up when - finished. It's quick and dirty, and will only work if you haven't - already redirected the output. + stderr. It then shows the file, and cleans things up when finished. + It's quick and dirty, and will only work if you haven't already + redirected the output. Download -------- -You can download PHP Shell from http://www.gimpster.com. The tarball -contains these files: +You can download PhpShell from http://www.gimpster.com/wiki/PhpShell. +The tarball/zipfile contains these files: phpshell.php - This is the script you run when you use PHP Shell. + This is the script you run when you use PhpShell. ChangeLog - This file describe the changes I've made to PHP Shell. By reading it - you'll always know when I've added a new feature or made a bugfix, - and the nature of the feature/bugfix. + This file describe the changes I've made to PhpShell. By reading + it you'll always know when I've added a new feature or made a + bugfix, and the nature of the feature/bugfix. README This file :-) INSTALL - Tells you how to install PHP Shell. It explains how you can - password-protect PHP Shell - this is very important, or else - everybody will be able so snoop into your files and perhaps also be - able to delete them! I've already seen one site that were using PHP - Shell without password-protection - I was able so quickly find their - config.inc.php file from phpMyAdmin, and read the password to the - database! So please take the time to protect PHP Shell. -sample.htaccess - To make it extra easy for you to password-protect PHP Shell, I've - include this template for a .htaccess-file. If you set this up - correctly Apache will prompt you for a username and password when - you try to access the directory containing PHP Shell. + Tells you how to install PhpShell. Amoung other things, it + explains how to change the password protection so that you can use + PhpShell. + + Remember that it's very important to have PhpShell password + protected, or else everybody will be able so snoop into your files + and perhaps also be able to delete them! I've already seen one site + that were using PhpShell without password-protection --- I was able + so quickly find their config.inc.php file from phpMyAdmin, and read + the password to the database! So please take the time to protect + PhpShell. COPYING Standard GNU disclaimer --- NEW FILE: phpshell.css --- /* Stylesheet for PhpShell. */ body { font-family: sans-serif; color: black; background: white; } h1 { color: red; background: white; } img { border: 0; } legend { font-weight: bold; } Index: INSTALL =================================================================== RCS file: /cvsroot/phpshell/phpshell/INSTALL,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- INSTALL 13 Jan 2006 17:23:34 -0000 1.2 +++ INSTALL 13 Jan 2006 17:29:47 -0000 1.3 @@ -1,58 +1,53 @@ -Installation instructions for PHP Shell -Copyright (C) 2000-2002 Martin Geisler <gim...@gi...> -Licensed under the GNU GPL. See the file COPYING for details. +Installation instructions for PhpShell 1.8 +Copyright (C) 2000-2003 Martin Geisler <gim...@gi...> +Licensed under the GNU GPL. See the file COPYING for details. Getting the tarball ------------------- You can always get the latest version from my homepage: - http://www.gimpster.com/php/phpshell/ + http://www.gimpster.com/wiki/PhpShell Installation ------------ -Installation is easy: just untar the tarball into your webserver, and -then type in the URL of the page phpshell.php. It should look -something like this: - - http://your.server.com/phpshell/phpshell.php +Installation is easy: first unpack the tarball or zipfile into your +webserver. This will create a subdirectory called phpweather-1.8. -Please note, that PHP Shell doesn't work if PHP is running in Safe -Mode. There is nothing I can do about this - Safe Mode was made to -prevent scripts just like PHP Shell. +If you're using PhpShell on an Apache webserver running PHP as a +module, then PhpShell wont work until you've edited phpshell.php. You +can see this when you try and load the file phpshell.php from the +directory just created --- you should get a prompt from your browser +asking you to authenticate you. In the default setup, no username or +password will authenticate you, this what you'll have to change next. +In the phpshell.php file you'll find comments near the top that +explains how to enable access for a username with a password. In +short, you'll simply add the pair as an entry in the $passwd array +like this: -Password-protecting PHP Shell ------------------------------ -This will work, but i STRONGLY urge you to take a look at the file -sample.htaccess. You will be using it to password-protect PHP Shell. -To do so, first rename it to .htaccess, and then if you already have a -file with usernames and passwords for Apache, just change the bit -saying <path to auth-file> to the path of you file. + $passwd = array('username' => 'password'); -If you don't have such a file, then creating one is easy. Type the -following as root: +It is important that you password-protect PhpShell with a good +password. If someone is able to guess your password, then they'll +have access to your webserver over the Internet, and they might be +able to erase your files, and perhaps even shutdown the webserver! So +be careful with this and remember that you can always find the usual +disclaimer in the file LICENSE. (This software is licensed under GPL, +I'm not responsible if you blow things up, etc... :-) - $ htpasswd -c /home/httpd/auth_users <username> -This will create the file /home/httpd/auth_users and promt for a -password for the username supplied. If your Apache is installed -somewhere else, then just adjust the path in both the command above -and in the .htaccess-file. -If you need to add extra usernames and passwords, then leave out the --c in the command above. -It is important that you password-protect PHP Shell, or else everybody -will have access to your webserver over the Internet. They will be -able to erase your files, and perhaps even shutdown the webserver! -So be careful with this and remember that you can always find the -usual disclaimer in the file LICENSE. (This software is licensed under -GPL, I'm not responsible if you blow things up, etc... :-) +Safe Mode +--------- +PhpShell doesn't work if PHP is running in Safe Mode. There is +nothing I can do about this --- Safe Mode was made to prevent scripts +just like PhpShell. Bugs? ----- -If you find a bug or miss something in PHP Shell, please don't -hesitate to mail me at <gim...@gi...>! +If you find a bug or miss something in PhpShell, please don't hesitate +to mail me at <gim...@gi...>! Enjoy! - Martin Geisler <gim...@gi...> Index: AUTHORS =================================================================== RCS file: /cvsroot/phpshell/phpshell/AUTHORS,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- AUTHORS 13 Jan 2006 17:23:34 -0000 1.3 +++ AUTHORS 13 Jan 2006 17:29:47 -0000 1.4 @@ -11,3 +11,14 @@ Gerry Calderhead <cal...@ev...> Patch for PHP 4.2.0 where register_globals are turned off. + +Jeremy Miller <JM...@ma...> + Suggested that one could use Sudo from + + http://www.courtesan.com/sudo/ + + to let PhpShell execute code with different privileges than the + webserver. + +Michael Zech <ke...@we...> + Patch to make the stderr-checkbox remember it's state. Index: phpshell.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.php,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- phpshell.php 13 Jan 2006 17:23:34 -0000 1.3 +++ phpshell.php 13 Jan 2006 17:29:47 -0000 1.4 @@ -1,19 +1,17 @@ -<?php - -define('PHPSHELL_VERSION', '1.7'); +<?php // -*- coding: utf-8 -*- /* ************************************************************** - * PHP Shell * + * PhpShell 1.8 * ************************************************************** $Id$ - PHP Shell is aninteractive PHP-page that will execute any command - entered. See the files README and INSTALL or http://www.gimpster.com - for further information. + PhpShell is aninteractive PHP-page that will execute any command + entered. See the files README and INSTALL or + http://www.gimpster.com/wiki/PhpShell for further information. - Copyright (C) 2000-2002 Martin Geisler <gim...@gi...> + Copyright (C) 2000-2003 Martin Geisler <gim...@gi...> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License @@ -31,33 +29,75 @@ Place - Suite 330, Boston, MA 02111-1307, USA. */ -?> -<html> +define('PHPSHELL_VERSION', '1.8'); + +/* Set your usernames and passwords like this: + + $passwd = array('username' => 'password'); + + You can add several pairs of usernames and passwords to the array + to give several different people access to PhpShell. + + $passwd = array('username_1' => 'password_1', + 'username_2' => 'password_2', + // ... + 'username_n' => 'password_n'); + +*/ +$passwd = array(); + +if (!isset($_SERVER['PHP_AUTH_USER']) || + !isset($_SERVER['PHP_AUTH_PW']) || + !isset($passwd[$_SERVER['PHP_AUTH_USER']]) || + $passwd[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW']) { + header('WWW-Authenticate: Basic realm="PhpShell 1.8"'); + header('HTTP/1.0 401 Unauthorized'); + $authenticated = false; +} else { + $authenticated = true; +} + +header('Content-Type: text/html; charset=UTF-8'); +/* Since most installations still operate with short_open_tag enabled, + * we have to echo this string from within PHP: */ +echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n"; +?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> -<title>PHP Shell <?php echo PHPSHELL_VERSION ?></title> + <title>PhpShell <?php echo PHPSHELL_VERSION ?></title> + <link rel="stylesheet" href="phpshell.css" type="text/css" /> </head> <body> -<h1>PHP Shell <?php echo PHPSHELL_VERSION ?></h1> + +<h1>PhpShell <?php echo PHPSHELL_VERSION ?></h1> + +<?php if (!$authenticated) { ?> +<p>You failed to authenticate yourself to PhpShell. You can <a +href="phpshell.php">reload</a> to try again.</p> + +<p>Try reading the <a href="INSTALL">INSTALL</a> file if you're having +problems with installing PhpShell.</p> + +</body> +</html> + +<?php exit; } //' <- fix syntax highlight... ?> <?php -if (ini_get('register_globals') != '1') { - /* We'll register the variables as globals: */ - if (!empty($HTTP_POST_VARS)) - extract($HTTP_POST_VARS); - - if (!empty($HTTP_GET_VARS)) - extract($HTTP_GET_VARS); +error_reporting (E_ALL); - if (!empty($HTTP_SERVER_VARS)) - extract($HTTP_SERVER_VARS); -} +$work_dir = empty($_REQUEST['work_dir']) ? '' : $_REQUEST['work_dir']; +$command = empty($_REQUEST['command']) ? '' : $_REQUEST['command']; +$stderr = empty($_REQUEST['stderr']) ? '' : $_REQUEST['stderr']; /* First we check if there has been asked for a working directory. */ -if (!empty($work_dir)) { +if ($work_dir != '') { /* A workdir has been asked for */ - if (!empty($command)) { + if ($command != '') { if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) { /* We try and match a cd command. */ if ($regs[1][0] == '/') { @@ -68,12 +108,12 @@ if (file_exists($new_dir) && is_dir($new_dir)) { $work_dir = $new_dir; } - unset($command); + $command = ''; } } } -if (file_exists($work_dir) && is_dir($work_dir)) { +if ($work_dir != '' && file_exists($work_dir) && is_dir($work_dir)) { /* We change directory to that dir: */ chdir($work_dir); } @@ -83,26 +123,29 @@ ?> -<form name="myform" action="<?php echo $PHP_SELF ?>" method="post"> +<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post"> +<fieldset><legend>Input</legend> <p>Current working directory: <b> <?php $work_dir_splitted = explode('/', substr($work_dir, 1)); -echo '<a href="' . $PHP_SELF . '?work_dir=/">Root</a>/'; +echo '<a href="' . $_SERVER['PHP_SELF'] . '?work_dir=/">Root</a>/'; if (!empty($work_dir_splitted[0])) { $path = ''; for ($i = 0; $i < count($work_dir_splitted); $i++) { $path .= '/' . $work_dir_splitted[$i]; printf('<a href="%s?work_dir=%s">%s</a>/', - $PHP_SELF, urlencode($path), $work_dir_splitted[$i]); + $_SERVER['PHP_SELF'], + urlencode($path), + $work_dir_splitted[$i]); } } ?></b></p> <p>Choose new working directory: -<select name="work_dir" onChange="this.form.submit()"> +<select name="work_dir" onchange="this.form.submit()"> <?php /* Now we make a list of the directories. */ $dir_handle = opendir($work_dir); @@ -110,21 +153,21 @@ while ($dir = readdir($dir_handle)) { if (is_dir($dir)) { if ($dir == '.') { - echo "<option value=\"$work_dir\" selected>Current Directory</option>\n"; + echo "<option value=\"$work_dir\" selected=\"selected\">Current Directory</option>\n"; } elseif ($dir == '..') { - /* We have found the parent dir. We must be carefull if the parent - directory is the root directory (/). */ + /* We have found the parent dir. We must be carefull if the + * parent directory is the root directory (/). */ if (strlen($work_dir) == 1) { /* work_dir is only 1 charecter - it can only be / There's no - parent directory then. */ + * parent directory then. */ } elseif (strrpos($work_dir, '/') == 0) { - /* The last / in work_dir were the first charecter. - This means that we have a top-level directory - eg. /bin or /home etc... */ + /* The last / in work_dir were the first charecter. This + * means that we have a top-level directory eg. /bin or /home + * etc... */ echo "<option value=\"/\">Parent Directory</option>\n"; } else { /* We do a little bit of string-manipulation to find the parent - directory... Trust me - it works :-) */ + * directory... Trust me - it works :-) */ echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"), 1)) ."\">Parent Directory</option>\n"; } } else { @@ -142,36 +185,55 @@ </select></p> -<p>Command: <input type="text" name="command" size="60"> -<input name="submit_btn" type="submit" value="Execute Command"></p> +<p>Command: <input type="text" name="command" size="60" /></p> -<p>Enable <code>stderr</code>-trapping? <input type="checkbox" name="stderr"></p> -<textarea cols="80" rows="20" readonly> +<p>Enable <code>stderr</code>-trapping? <input type="checkbox" name="stderr" +<?php if ($stderr) echo "checked=\"checked\""; ?> /> <input name="submit_btn" type="submit" value="Execute Command" /></p> +</fieldset> + +<fieldset><legend>Output</legend> + +<p><textarea cols="80" rows="20" readonly="readonly"> <?php if (!empty($command)) { if ($stderr) { $tmpfile = tempnam('/tmp', 'phpshell'); - $command .= " 1> $tmpfile 2>&1; " . - "cat $tmpfile; rm $tmpfile"; - } else if ($command == 'ls') { + $command .= " 1> $tmpfile 2>&1; cat $tmpfile; rm $tmpfile"; + } elseif ($command == 'ls') { /* ls looks much better with ' -F', IMHO. */ $command .= ' -F'; } - system($command); + echo htmlspecialchars(shell_exec($command), ENT_COMPAT, 'UTF-8'); } ?> +</textarea></p> -</textarea> +</fieldset> </form> -<script language="JavaScript" type="text/javascript"> +<script type="text/javascript"> document.forms[0].command.focus(); </script> -<hr> -<i>Copyright © 2000–2002, <a +<hr /> + +<address>Copyright © 2000–2003, <a href="mailto:gim...@gi...">Martin Geisler</a>. Get the latest -version at <a href="http://www.gimpster.com">www.gimpster.com</a>.</i> +version at <a +href="http://www.gimpster.com/">www.gimpster.com/wiki/PhpShell</a>.</address> + +<p> + <a href="http://validator.w3.org/check/referer"> + <img src="valid-xhtml10" alt="Valid XHTML 1.0 Strict!" + height="31" width="88" /> + </a> + <a href="http://jigsaw.w3.org/css-validator/check/referer"> + <img src="http://jigsaw.w3.org/css-validator/images/vcss" + width="88" height="31" + alt="Valid CSS!" /> + </a> +</p> + </body> </html> --- NEW FILE: valid-xhtml10.png --- (This appears to be a binary file; contents omitted.) |
|
From: Martin G. <mge...@us...> - 2006-01-13 17:23:49
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19452 Modified Files: AUTHORS ChangeLog INSTALL README phpshell.php Log Message: Imported PHP Shell version 1.7. Index: phpshell.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.php,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- phpshell.php 13 Jan 2006 17:11:37 -0000 1.2 +++ phpshell.php 13 Jan 2006 17:23:34 -0000 1.3 @@ -1,6 +1,6 @@ <?php -define('PHPSHELL_VERSION', '1.6'); +define('PHPSHELL_VERSION', '1.7'); /* @@ -9,9 +9,10 @@ ************************************************************** $Id$ - An interactive PHP-page that will execute any command entered. - See the files README and INSTALL or http://www.gimpster.com for - further information. + PHP Shell is aninteractive PHP-page that will execute any command + entered. See the files README and INSTALL or http://www.gimpster.com + for further information. + Copyright (C) 2000-2002 Martin Geisler <gim...@gi...> This program is free software; you can redistribute it and/or @@ -40,15 +41,29 @@ <h1>PHP Shell <?php echo PHPSHELL_VERSION ?></h1> <?php + +if (ini_get('register_globals') != '1') { + /* We'll register the variables as globals: */ + if (!empty($HTTP_POST_VARS)) + extract($HTTP_POST_VARS); + + if (!empty($HTTP_GET_VARS)) + extract($HTTP_GET_VARS); + + if (!empty($HTTP_SERVER_VARS)) + extract($HTTP_SERVER_VARS); +} + /* First we check if there has been asked for a working directory. */ if (!empty($work_dir)) { /* A workdir has been asked for */ if (!empty($command)) { if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) { + /* We try and match a cd command. */ if ($regs[1][0] == '/') { - $new_dir = $regs[1]; + $new_dir = $regs[1]; // 'cd /something/...' } else { - $new_dir = $work_dir . '/' . $regs[1]; + $new_dir = $work_dir . '/' . $regs[1]; // 'cd somedir/...' } if (file_exists($new_dir) && is_dir($new_dir)) { $work_dir = $new_dir; @@ -58,31 +73,33 @@ } } -/* we chdir to that dir. */ if (file_exists($work_dir) && is_dir($work_dir)) { + /* We change directory to that dir: */ chdir($work_dir); - $work_dir = exec("pwd"); -} else { - /* No work_dir - we chdir to $DOCUMENT_ROOT */ - chdir($DOCUMENT_ROOT); - $work_dir = $DOCUMENT_ROOT; } + +/* We now update $work_dir to avoid things like '/foo/../bar': */ +$work_dir = exec('pwd'); + ?> <form name="myform" action="<?php echo $PHP_SELF ?>" method="post"> <p>Current working directory: <b> <?php -$work_dir_splitted = explode("/", substr($work_dir, 1)); -echo "<a href=\"$PHP_SELF?work_dir=" . urlencode($url) . "/&command=" . urlencode($command) . "\">Root</a>/"; -if ($work_dir_splitted[0] == "") { - $work_dir = "/"; /* Root directory. */ -} else { + +$work_dir_splitted = explode('/', substr($work_dir, 1)); + +echo '<a href="' . $PHP_SELF . '?work_dir=/">Root</a>/'; + +if (!empty($work_dir_splitted[0])) { + $path = ''; for ($i = 0; $i < count($work_dir_splitted); $i++) { - /* echo "i = $i";*/ - $url .= "/".$work_dir_splitted[$i]; - echo "<a href=\"$PHP_SELF?work_dir=" . urlencode($url) . "&command=" . urlencode($command) . "\">$work_dir_splitted[$i]</a>/"; + $path .= '/' . $work_dir_splitted[$i]; + printf('<a href="%s?work_dir=%s">%s</a>/', + $PHP_SELF, urlencode($path), $work_dir_splitted[$i]); } } + ?></b></p> <p>Choose new working directory: <select name="work_dir" onChange="this.form.submit()"> @@ -92,15 +109,15 @@ /* Run through all the files and directories to find the dirs. */ while ($dir = readdir($dir_handle)) { if (is_dir($dir)) { - if ($dir == ".") { + if ($dir == '.') { echo "<option value=\"$work_dir\" selected>Current Directory</option>\n"; - } elseif ($dir == "..") { + } elseif ($dir == '..') { /* We have found the parent dir. We must be carefull if the parent directory is the root directory (/). */ if (strlen($work_dir) == 1) { /* work_dir is only 1 charecter - it can only be / There's no parent directory then. */ - } elseif (strrpos($work_dir, "/") == 0) { + } elseif (strrpos($work_dir, '/') == 0) { /* The last / in work_dir were the first charecter. This means that we have a top-level directory eg. /bin or /home etc... */ @@ -111,7 +128,7 @@ echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"), 1)) ."\">Parent Directory</option>\n"; } } else { - if ($work_dir == "/") { + if ($work_dir == '/') { echo "<option value=\"$work_dir$dir\">$dir</option>\n"; } else { echo "<option value=\"$work_dir/$dir\">$dir</option>\n"; @@ -120,6 +137,7 @@ } } closedir($dir_handle); + ?> </select></p> @@ -152,7 +170,7 @@ </script> <hr> -<i>Copyright © 2000-2002, <a +<i>Copyright © 2000–2002, <a href="mailto:gim...@gi...">Martin Geisler</a>. Get the latest version at <a href="http://www.gimpster.com">www.gimpster.com</a>.</i> </body> Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- README 13 Jan 2006 17:11:37 -0000 1.2 +++ README 13 Jan 2006 17:23:34 -0000 1.3 @@ -1,11 +1,11 @@ -README for PHP Shell 1.6 -Copyright (C) 2000 Martin Geisler <gim...@gi...> +README for PHP Shell 1.7 +Copyright (C) 2000-2002 Martin Geisler <gim...@gi...> Licensed under the GNU GPL. See the file COPYING for details. What is PHP Shell? ------------------ PHP Shell is a shell wrapped in a PHP script. It's a tool you can use -to execute arbiritary shell-commands or browse the filesystem on your +to execute arbitrary shell-commands or browse the filesystem on your remote webserver. This replaces, to a degree, a normal telnet-connection. You can use it for transferring your site as a compressed file, and then unpack it on the webserver, administration and maintenance of @@ -28,6 +28,21 @@ though :-) +Safe Mode +--------- +If PHP is running in Safe Mode, then you cannot use PHP Shell - sorry. +Safe Mode restricts the commands that can be executed using the +system() call in PHP, and it also restricts the files and directories +that can be accessed using other calls in PHP. + +The effect is, that PHP Shell simply doesn't work - you cannot change +directory and you cannot execute any commands. + +Safe Mode is often used on servers that host several websites for +different users to limit the users ability to peek at each others +files. + + Who am I? --------- (Well, my name is Martin, but that's not the point :-) @@ -73,7 +88,7 @@ The current working directory: This is the directory where all command are being executed. You can use the dropdown-box to choose a new working directory. To quickly - jump towards the root of the filesystem, just click on + jump toward the root of the filesystem, just click on one of the links to jump to that directory. The Output @@ -109,16 +124,16 @@ and the nature of the feature/bugfix. README - (This file:-) + This file :-) INSTALL Tells you how to install PHP Shell. It explains how you can password-protect PHP Shell - this is very important, or else everybody will be able so snoop into your files and perhaps also be - able to delete them! I've already seem one site that were using PHP - Shell without password-protection, I was able so quickly find their - config.inc.php-file from phpMyAdmin, and read the password to the - database! So please take the time to password-protect PHP Shell. + able to delete them! I've already seen one site that were using PHP + Shell without password-protection - I was able so quickly find their + config.inc.php file from phpMyAdmin, and read the password to the + database! So please take the time to protect PHP Shell. sample.htaccess To make it extra easy for you to password-protect PHP Shell, I've @@ -127,4 +142,4 @@ you try to access the directory containing PHP Shell. COPYING - Standard GNU disclamer \ No newline at end of file + Standard GNU disclaimer Index: AUTHORS =================================================================== RCS file: /cvsroot/phpshell/phpshell/AUTHORS,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- AUTHORS 13 Jan 2006 17:11:37 -0000 1.2 +++ AUTHORS 13 Jan 2006 17:23:34 -0000 1.3 @@ -8,3 +8,6 @@ Robert Niess <st...@i-...> Made me aware of a security hole in the handling of stderr-trapping. + +Gerry Calderhead <cal...@ev...> + Patch for PHP 4.2.0 where register_globals are turned off. Index: INSTALL =================================================================== RCS file: /cvsroot/phpshell/phpshell/INSTALL,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- INSTALL 13 Jan 2006 16:58:45 -0000 1.1 +++ INSTALL 13 Jan 2006 17:23:34 -0000 1.2 @@ -1,10 +1,13 @@ Installation instructions for PHP Shell -Copyright (C) 2000 Martin Geisler <gim...@gi...> +Copyright (C) 2000-2002 Martin Geisler <gim...@gi...> Licensed under the GNU GPL. See the file COPYING for details. + Getting the tarball ------------------- -You can always get the latest version from www.gimpster.com. +You can always get the latest version from my homepage: + + http://www.gimpster.com/php/phpshell/ Installation @@ -12,7 +15,12 @@ Installation is easy: just untar the tarball into your webserver, and then type in the URL of the page phpshell.php. It should look something like this: -http://your.server.com/phpshell/phpshell.php + + http://your.server.com/phpshell/phpshell.php + +Please note, that PHP Shell doesn't work if PHP is running in Safe +Mode. There is nothing I can do about this - Safe Mode was made to +prevent scripts just like PHP Shell. Password-protecting PHP Shell @@ -26,7 +34,7 @@ If you don't have such a file, then creating one is easy. Type the following as root: -$ htpasswd -c /home/httpd/auth_users <username> + $ htpasswd -c /home/httpd/auth_users <username> This will create the file /home/httpd/auth_users and promt for a password for the username supplied. If your Apache is installed @@ -41,11 +49,10 @@ usual disclaimer in the file LICENSE. (This software is licensed under GPL, I'm not responsible if you blow things up, etc... :-) + Bugs? ----- If you find a bug or miss something in PHP Shell, please don't -hesitate to mail me at <gim...@gi...>! It has only been -tested for a very short time, so there might be some quirks in odd -situations. +hesitate to mail me at <gim...@gi...>! -Enjoy! - Martin Geisler <gim...@gi...> \ No newline at end of file +Enjoy! - Martin Geisler <gim...@gi...> Index: ChangeLog =================================================================== RCS file: /cvsroot/phpshell/phpshell/ChangeLog,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- ChangeLog 13 Jan 2006 17:11:37 -0000 1.2 +++ ChangeLog 13 Jan 2006 17:23:34 -0000 1.3 @@ -1,5 +1,25 @@ +2002-09-18 Martin Geisler <gim...@gi...> + + * phpshell.php 1.18: + Use the directory of phpshell.php as the default working directory. + + * AUTHORS 1.3: Added Gerry Calderhead <cal...@ev...>. + + * phpshell.php 1.17: + PHP Shell now works on PHP 4.2.0 with register_globals turned off. + +2002-06-10 Martin Geisler <gim...@gi...> + + * INSTALL 1.3: Added a section about Safe Mode in PHP. + + * README 1.9: + Added a section about Safe Mode in PHP. Also fixed a lot of spelling + errors. + 2002-03-23 Martin Geisler <gim...@gi...> + * README 1.8: Added a version number to the file. + * AUTHORS 1.2: Added a notice about Robert Niess <st...@i-...>. * phpshell.php 1.16: |
|
From: Martin G. <mge...@us...> - 2006-01-13 17:11:49
|
Update of /cvsroot/phpshell/phpshell In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv15145 Modified Files: AUTHORS ChangeLog README phpshell.php Log Message: Imported PHP Shell version 1.6. Index: phpshell.php =================================================================== RCS file: /cvsroot/phpshell/phpshell/phpshell.php,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- phpshell.php 13 Jan 2006 16:58:45 -0000 1.1 +++ phpshell.php 13 Jan 2006 17:11:37 -0000 1.2 @@ -1,6 +1,6 @@ <?php -define('PHPSHELL_VERSION', '1.5'); +define('PHPSHELL_VERSION', '1.6'); /* @@ -133,8 +133,9 @@ <?php if (!empty($command)) { if ($stderr) { - $command .= " 1> /tmp/output.txt 2>&1; " . - "cat /tmp/output.txt; rm /tmp/output.txt"; + $tmpfile = tempnam('/tmp', 'phpshell'); + $command .= " 1> $tmpfile 2>&1; " . + "cat $tmpfile; rm $tmpfile"; } else if ($command == 'ls') { /* ls looks much better with ' -F', IMHO. */ $command .= ' -F'; Index: README =================================================================== RCS file: /cvsroot/phpshell/phpshell/README,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- README 13 Jan 2006 16:58:45 -0000 1.1 +++ README 13 Jan 2006 17:11:37 -0000 1.2 @@ -1,4 +1,4 @@ -README for PHP Shell +README for PHP Shell 1.6 Copyright (C) 2000 Martin Geisler <gim...@gi...> Licensed under the GNU GPL. See the file COPYING for details. Index: AUTHORS =================================================================== RCS file: /cvsroot/phpshell/phpshell/AUTHORS,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- AUTHORS 13 Jan 2006 16:58:45 -0000 1.1 +++ AUTHORS 13 Jan 2006 17:11:37 -0000 1.2 @@ -5,3 +5,6 @@ ri...@jo... Fixed a problem the list of directories, if one accessed the root-directory. + +Robert Niess <st...@i-...> + Made me aware of a security hole in the handling of stderr-trapping. Index: ChangeLog =================================================================== RCS file: /cvsroot/phpshell/phpshell/ChangeLog,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- ChangeLog 13 Jan 2006 16:58:45 -0000 1.1 +++ ChangeLog 13 Jan 2006 17:11:37 -0000 1.2 @@ -0,0 +1,94 @@ +2002-03-23 Martin Geisler <gim...@gi...> + + * AUTHORS 1.2: Added a notice about Robert Niess <st...@i-...>. + + * phpshell.php 1.16: + Added a PHPSHELL_VERSION constant. Also, when using stderr-trapping, + we now use a unique filename as returned by tempnam() - Robert Niess + <st...@i-...> made me aware of this, thanks. + + * phpshell.php 1.15: Small changes in the layout. + + * phpshell.php 1.14: + Updated copyright statements - they were getting quite old :-) + + * README 1.7: + Added a tip from Jeremy Miller <JM...@ma...> about how to + use PHP Shell together with Sudo to execute code as another user. + +2001-12-10 Martin Geisler <gim...@gi...> + + * phpshell.php 1.13: + I found out that 'ls -F' produced better output than 'ls -p'. + + * README 1.6: Told people about the rewriting of 'ls' into 'ls -F' + + * phpshell.php 1.12: + You can now travel through the filesystem by using the normal 'cd' + command. If your command involves 'cd', it will be intercepted and the + current working directory will be changed accordingly. + + * README 1.5: Updated the documentation a bit. + +2001-02-11 Martin Geisler <gim...@gi...> + + * phpshell.php 1.11: + Another suggestion from Thomas Langen <la...@la...>: some + people can't use the .php extension, so now the script uses $PHP_SELF + instead. + + * phpshell.php 1.10: + Expanded all PHP start-tags (<?) to <?php, as suggested by Thomas + Langen <la...@la...>. + +2000-11-20 Martin Geisler <gim...@gi...> + + * AUTHORS 1.1: New file. + + * phpshell.php 1.9: + Applied a patch from ri...@jo... which fixed a problem with + accessing the root-directory. + +2000-09-24 Martin Geisler <gim...@gi...> + + * phpshell.php 1.8: Removed a debug-comment. + +2000-09-09 Martin Geisler <gim...@gi...> + + * README 1.4: Expanded the brief explanation at the top. + + * README 1.3: Ups, I forgot to make a description of sample.htaccess. + + * README 1.2: + Added a description of all the files found in the tarball. + + * INSTALL 1.2: Made BUGS lowercase. + + * sample.htaccess 1.1, INSTALL 1.1, README 1.1: New file. + + * phpshell.php 1.7: + Removed 'Martin Geisler' from the title, putting my name on the bottom + of the page ought to be enough :-) + +2000-08-06 Martin Geisler <gim...@gi...> + + * phpshell.php 1.6: + Added a link to gimpster.com at the bottom of the page + +2000-08-05 Martin Geisler <gim...@gi...> + + * phpshell.php 1.5: + Removed references to php3 - I now use php4 so all my files end with + just a '.php' + +2000-06-21 Martin Geisler <gim...@gi...> + + * phpshell.php 1.4: + Fix - there were still references to the old name: shell.php3. + + * phpshell.php 1.3: Workaround for stderr-trapping. Seams to work... + + * phpshell.php 1.2: Initial commit + + * phpshell.php 1.1: New file. + |
![http://images.sourceforge.net/images/project-support.jpg"](http://images.sourceforge.net/images/project-support.jpg"){kind=link}