Menu
▾
▴
phpshell-devel — Discuss the development of PHP Shell
You can subscribe to this list here.
| 2006 |
Jan
(2) |
Feb
(3) |
Mar
|
Apr
(6) |
May
(5) |
Jun
|
Jul
(7) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(16) |
Jun
(11) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(12) |
Jul
(4) |
Aug
(5) |
Sep
|
Oct
(3) |
Nov
|
Dec
(6) |
| 2013 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
|
From: Adrian S. <sp...@ya...> - 2009-06-16 20:12:25
|
Hello there ,
I find phpshell a useful thing , but I want to make to it 2 modifications :
1) Because I want to integrate it in my site I would want to go directly to the shell whitout having to go through the login part. This is like annoying sometimes.
2) When I connect with any user (root, demo, etc, doesn't matter) I am actually logged in as www-data (none or nobody in other Apache ). This is a major drawback because what I really want is , when I login with a user (suppose that it exists in the system), is to have that user's privelleges .(when I login with root I should have root privelleges , when I login with demo for example I should have limited privilleges).
Can you help me in doing this things (propose a solution or suggest one ) ?
Regards,
Adi
|
|
From: SourceForge.net <no...@so...> - 2009-05-30 14:37:46
|
Feature Requests item #1670845, was opened at 2007-02-28 08:42 Message generated for change (Comment added) made by secureideas You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1670845&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements Group: None Status: Open Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: IP Filtering Initial Comment: Ok, first, thanks for this clear programme. i've test some more complex ones, and this one is the most intuitive. But i saw in those others php shells the following feature and i think it won't hurt to add it to your work. In addition to the basic authentification, the page could filter the ip, forbiding acces from unknown places. Excuse my poor english, and keep up your work ! ---------------------------------------------------------------------- Comment By: Kevin Johnson (secureideas) Date: 2009-05-30 10:37 Message: I have a patch to add this feature and will be submitting it in the next few days. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1670845&group_id=156638 |
|
From: SourceForge.net <no...@so...> - 2009-05-30 14:36:17
|
Bugs item #2011582, was opened at 2008-07-06 02:43 Message generated for change (Comment added) made by secureideas You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800587&aid=2011582&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Passwords? Initial Comment: I had the same problem with phpterm. After logging in, I get the terminal window. <code> $ sudo su [sudo] password for www-data: $ </code> Question 1: What is www-data? No such user exists. Question 2: How do I enter a password if it echos [sudo]... then goes straight to $? Thanks in advance! -Excited potential user ---------------------------------------------------------------------- Comment By: Kevin Johnson (secureideas) Date: 2009-05-30 10:36 Message: PHPShell can not run interactive commands. Sudo requires the user to enter a password so it is interactive. As to www-data, it is the user your web server is running as. Kevin ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800587&aid=2011582&group_id=156638 |
|
From: ArcyQwerty <arc...@ar...> - 2009-05-11 20:34:10
|
Thanks
I just figured it out
$p = proc_open($command,
array(1 => array('pipe', 'w'),
2 => array('pipe', 'w')),
$io, getcwd());
The proc_open command can take a parameter with the current directory which is then passed onto the executed program
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Monday, May 11, 2009 4:02 PM
Subject: Re: Fw: Fw: PHP Shell
That (dir still showing the unchanged path) may have something to do with "cd" being an internal comand of PHP Shell. As far as I know you do not really change to the directory but just tell PHP Shell where you want the next comand to be executed.
That is because the connection to PHP / the web server is not persistent (every comand you submit via PHP Shell will start a new task which does not know how the one before finished his work).
ArcyQwerty schrieb am 11.05.2009 21:54 Uhr:
After some experimentation, changing $_SESSION['cwd'] to chdir() and getcwd() depending on what I need seems to work out
It will now recognize the current directory but commands like 'dir' still give me the system32 (probably has something to do with cmd.exe being in system32)
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Monday, May 11, 2009 2:52 PM
Subject: Re: Fw: Fw: PHP Shell
I'm sorry but I do not have a clue what the problem might be caused by, so I will not be able to help you... sorry for that!
Actually I am just subscribed to this list because I once used PHP Shell... but that was some years ago...
I hope there's anybody else reading this who is more familiar with PHP Shell and/or Windows Servers and who is able to help you! Good look with that!
ArcyQwerty schrieb am 11.05.2009 20:35 Uhr:
Yes I am still subscribed ;)
I have tried different methods such as
cd /
cd ..
cd ../
cd C:\
cd C:
cd C:/
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 4:37 PM
Subject: Re: Fw: PHP Shell
OK. Well then the problem must be caused by something else.
I guess you tried using "cd .." serveral times instead of cd "C:\" to make sure it's not just a "syntax" problem?
If you tried so without success, I hope Martin Geisler (the author of PHP Shell) can help you with that (as I do not have a clue what the problem might be caused by).
@Martin Geisler
I guess you are still subscribed to this mailing list?
ArcyQwerty schrieb am 10.05.2009 22:08 Uhr:
I am fairly sure that it has the ability to use the rights of the logged in user as the system32 directory is strictly off limits to the 'public' account
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 2:55 PM
Subject: Re: PHP Shell
I do not know if these Windows Web Servers access anything that the user they are running as is able to access, but if you run an Apache server you usually tell the server that he's not allowed to access files which are not in a special "public" folder. So if you run Apache with Linux as root (you normaly will not do that) and tell him not to access files which are not in /var/www/ (for example) or its subfolders, it is not able to change to / (which is usually simular to C:\) (even though root is able to access any files).
As far as I know, PHP Shell is not able to access all the files that the user is able to access but just those the Web Server allows it to access (unlike a normal ssh etc.).
Or did I just misunderstand your question?
ArcyQwerty schrieb am 10.05.2009 19:28 Uhr:
If I start with homedir as C:\
Current Working Directory: C:\
$ cd ./inetpub
Current Working Directory: C:\/./inetpub
$ ls
[list of files in C:\windows\system32 shows up]
C:\ and all directories under it are accessible by the authenticated user running PHP shell (running as admin by NTLM authentication)
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 10:48 AM
Subject: Re: PHP Shell
Did you try whether "cd .." works or not?
And is C:\ accessable for PHP? [inside DocumentRoot for Apache Servers]
I never tried using PHP Shell on an Windows Server... but that of course does not mean it will not work...
ArcyQwerty schrieb am 10.05.2009 15:51 Uhr:
I have installed phpshell 2.1 according to the INSTALL file and have successfully created a user and run it
It is currently running on Windows Server 2003 R2 and IIS 6
However, I cannot use the cd command to change directory:
$ cd C:\
chdir() [<a href='function.chdir'>function.chdir</a>]: No error (errno 0)
cd: could not change to: C:\/C:\
PHP is not in safemode and the process running PHP Shell is running as a domain admin (authenticated through NTLM)
------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
----------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com----------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
--------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com--------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
------------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com------------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
----------------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com----------------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
|
|
From: Tobias U. <ma...@to...> - 2009-05-11 20:02:11
|
That (dir still showing the unchanged path) may have something to do with "cd" being an internal comand of PHP Shell. As far as I know you do not really change to the directory but just tell PHP Shell where you want the next comand to be executed. That is because the connection to PHP / the web server is not persistent (every comand you submit via PHP Shell will start a new task which does not know how the one before finished his work). ArcyQwerty schrieb am 11.05.2009 21:54 Uhr: > After some experimentation, changing $_SESSION['cwd'] to chdir() and > getcwd() depending on what I need seems to work out > It will now recognize the current directory but commands like 'dir' > still give me the system32 (probably has something to do with cmd.exe > being in system32) > > ----- Original Message ----- > *From:* Tobias Unger <mailto:ma...@to...> > *To:* ArcyQwerty <mailto:arc...@ar...> ; > Discuss the development of PHP Shell > <mailto:php...@li...> > *Sent:* Monday, May 11, 2009 2:52 PM > *Subject:* Re: Fw: Fw: PHP Shell > > I'm sorry but I do not have a clue what the problem might be > caused by, so I will not be able to help you... sorry for that! > > Actually I am just subscribed to this list because I once used PHP > Shell... but that was some years ago... > > I hope there's anybody else reading this who is more familiar with > PHP Shell and/or Windows Servers and who is able to help you! Good > look with that! > > > ArcyQwerty schrieb am 11.05.2009 20:35 Uhr: >> Yes I am still subscribed ;) >> I have tried different methods such as >> >> cd / >> cd .. >> cd ../ >> cd C:\ >> cd C: >> cd C:/ >> >> ----- Original Message ----- >> *From:* Tobias Unger <mailto:ma...@to...> >> *To:* ArcyQwerty <mailto:arc...@ar...> >> ; Discuss the development of PHP Shell >> <mailto:php...@li...> >> *Sent:* Sunday, May 10, 2009 4:37 PM >> *Subject:* Re: Fw: PHP Shell >> >> OK. Well then the problem must be caused by something else. >> >> I guess you tried using "cd .." serveral times instead of cd >> "C:\" to make sure it's not just a "syntax" problem? >> >> If you tried so without success, I hope Martin Geisler (the >> author of PHP Shell) can help you with that (as I do not have >> a clue what the problem might be caused by). >> >> @Martin Geisler >> I guess you are still subscribed to this mailing list? >> >> >> ArcyQwerty schrieb am 10.05.2009 22:08 Uhr: >>> I am fairly sure that it has the ability to use the rights >>> of the logged in user as the system32 directory is strictly >>> off limits to the 'public' account >>> >>> ----- Original Message ----- >>> *From:* Tobias Unger <mailto:ma...@to...> >>> *To:* ArcyQwerty >>> <mailto:arc...@ar...> ; Discuss >>> the development of PHP Shell >>> <mailto:php...@li...> >>> *Sent:* Sunday, May 10, 2009 2:55 PM >>> *Subject:* Re: PHP Shell >>> >>> I do not know if these Windows Web Servers access >>> anything that the user they are running as is able to >>> access, but if you run an Apache server you usually tell >>> the server that he's not allowed to access files which >>> are not in a special "public" folder. So if you run >>> Apache with Linux as root (you normaly will not do that) >>> and tell him not to access files which are not in >>> /var/www/ (for example) or its subfolders, it is not >>> able to change to / (which is usually simular to C:\) >>> (even though root is able to access any files). >>> >>> As far as I know, PHP Shell is not able to access all >>> the files that the user is able to access but just those >>> the Web Server allows it to access (unlike a normal ssh >>> etc.). >>> >>> Or did I just misunderstand your question? >>> >>> ArcyQwerty schrieb am 10.05.2009 19:28 Uhr: >>>> If I start with homedir as C:\ >>>> >>>> Current Working Directory: |C:\| >>>> >>>> $ cd ./inetpub >>>> >>>> Current Working Directory: |C:\/./inetpub| >>>> || >>>> |$ ls| >>>> || >>>> |[list of files in C:\windows\system32 shows up]| >>>> || >>>> >>>> |C:\ and all directories under it are accessible by the >>>> authenticated user running PHP shell (running as admin >>>> by NTLM authentication)| >>>> >>>> ----- Original Message ----- >>>> *From:* Tobias Unger <mailto:ma...@to...> >>>> *To:* ArcyQwerty >>>> <mailto:arc...@ar...> ; >>>> Discuss the development of PHP Shell >>>> <mailto:php...@li...> >>>> *Sent:* Sunday, May 10, 2009 10:48 AM >>>> *Subject:* Re: PHP Shell >>>> >>>> Did you try whether "cd .." works or not? >>>> And is C:\ accessable for PHP? [inside DocumentRoot >>>> for Apache Servers] >>>> I never tried using PHP Shell on an Windows >>>> Server... but that of course does not mean it will >>>> not work... >>>> >>>> ArcyQwerty schrieb am 10.05.2009 15:51 Uhr: >>>>> I have installed phpshell 2.1 according to the >>>>> INSTALL file and have successfully created a user >>>>> and run it >>>>> It is currently running on Windows Server 2003 R2 >>>>> and IIS 6 >>>>> However, I cannot use the cd command to change >>>>> directory: >>>>> >>>>> >>>>> $ cd C:\ >>>>> chdir() [<a >>>>> href='function.chdir'>function.chdir</a>]: No >>>>> error (errno 0) >>>>> cd: could not change to: C:\/C:\ >>>>> >>>>> >>>>> PHP is not in safemode and the process running PHP >>>>> Shell is running as a domain admin (authenticated >>>>> through NTLM) >>>>> ------------------------------------------------------------------------ >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >>>>> production scanning environment may not be a perfect world - but thanks to >>>>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >>>>> Series Scanner you'll get full speed at 300 dpi even with all image >>>>> processing features enabled. http://p.sf.net/sfu/kodak-com >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> phpshell-devel mailing list >>>>> php...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >>>>> >>>> >>>> -- >>>> Tobias Unger >>>> ma...@to... >>>> www.tobias-unger.de >>>> 0911 - 30 83 50 63 >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> ------------------------------------------------------------------------------ >>>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >>>> production scanning environment may not be a perfect world - but thanks to >>>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >>>> Series Scanner you'll get full speed at 300 dpi even with all image >>>> processing features enabled. http://p.sf.net/sfu/kodak-com >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> phpshell-devel mailing list >>>> php...@li... >>>> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >>>> >>> >>> -- >>> Tobias Unger >>> ma...@to... >>> www.tobias-unger.de >>> 0911 - 30 83 50 63 >>> >>> >>> ------------------------------------------------------------------------ >>> >>> ------------------------------------------------------------------------------ >>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >>> production scanning environment may not be a perfect world - but thanks to >>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >>> Series Scanner you'll get full speed at 300 dpi even with all image >>> processing features enabled. http://p.sf.net/sfu/kodak-com >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> phpshell-devel mailing list >>> php...@li... >>> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >>> >> >> -- >> Tobias Unger >> ma...@to... >> www.tobias-unger.de >> 0911 - 30 83 50 63 >> >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------------ >> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >> production scanning environment may not be a perfect world - but thanks to >> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >> Series Scanner you'll get full speed at 300 dpi even with all image >> processing features enabled. http://p.sf.net/sfu/kodak-com >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> phpshell-devel mailing list >> php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >> > > -- > Tobias Unger > ma...@to... > www.tobias-unger.de > 0911 - 30 83 50 63 > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 > Series Scanner you'll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > ------------------------------------------------------------------------ > > _______________________________________________ > phpshell-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpshell-devel > -- Tobias Unger ma...@to... www.tobias-unger.de 0911 - 30 83 50 63 |
|
From: ArcyQwerty <arc...@ar...> - 2009-05-11 19:55:05
|
After some experimentation, changing $_SESSION['cwd'] to chdir() and getcwd() depending on what I need seems to work out
It will now recognize the current directory but commands like 'dir' still give me the system32 (probably has something to do with cmd.exe being in system32)
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Monday, May 11, 2009 2:52 PM
Subject: Re: Fw: Fw: PHP Shell
I'm sorry but I do not have a clue what the problem might be caused by, so I will not be able to help you... sorry for that!
Actually I am just subscribed to this list because I once used PHP Shell... but that was some years ago...
I hope there's anybody else reading this who is more familiar with PHP Shell and/or Windows Servers and who is able to help you! Good look with that!
ArcyQwerty schrieb am 11.05.2009 20:35 Uhr:
Yes I am still subscribed ;)
I have tried different methods such as
cd /
cd ..
cd ../
cd C:\
cd C:
cd C:/
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 4:37 PM
Subject: Re: Fw: PHP Shell
OK. Well then the problem must be caused by something else.
I guess you tried using "cd .." serveral times instead of cd "C:\" to make sure it's not just a "syntax" problem?
If you tried so without success, I hope Martin Geisler (the author of PHP Shell) can help you with that (as I do not have a clue what the problem might be caused by).
@Martin Geisler
I guess you are still subscribed to this mailing list?
ArcyQwerty schrieb am 10.05.2009 22:08 Uhr:
I am fairly sure that it has the ability to use the rights of the logged in user as the system32 directory is strictly off limits to the 'public' account
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 2:55 PM
Subject: Re: PHP Shell
I do not know if these Windows Web Servers access anything that the user they are running as is able to access, but if you run an Apache server you usually tell the server that he's not allowed to access files which are not in a special "public" folder. So if you run Apache with Linux as root (you normaly will not do that) and tell him not to access files which are not in /var/www/ (for example) or its subfolders, it is not able to change to / (which is usually simular to C:\) (even though root is able to access any files).
As far as I know, PHP Shell is not able to access all the files that the user is able to access but just those the Web Server allows it to access (unlike a normal ssh etc.).
Or did I just misunderstand your question?
ArcyQwerty schrieb am 10.05.2009 19:28 Uhr:
If I start with homedir as C:\
Current Working Directory: C:\
$ cd ./inetpub
Current Working Directory: C:\/./inetpub
$ ls
[list of files in C:\windows\system32 shows up]
C:\ and all directories under it are accessible by the authenticated user running PHP shell (running as admin by NTLM authentication)
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 10:48 AM
Subject: Re: PHP Shell
Did you try whether "cd .." works or not?
And is C:\ accessable for PHP? [inside DocumentRoot for Apache Servers]
I never tried using PHP Shell on an Windows Server... but that of course does not mean it will not work...
ArcyQwerty schrieb am 10.05.2009 15:51 Uhr:
I have installed phpshell 2.1 according to the INSTALL file and have successfully created a user and run it
It is currently running on Windows Server 2003 R2 and IIS 6
However, I cannot use the cd command to change directory:
$ cd C:\
chdir() [<a href='function.chdir'>function.chdir</a>]: No error (errno 0)
cd: could not change to: C:\/C:\
PHP is not in safemode and the process running PHP Shell is running as a domain admin (authenticated through NTLM)
----------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com----------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
--------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com--------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
------------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com------------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
----------------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com----------------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
|
|
From: SourceForge.net <no...@so...> - 2009-05-11 19:29:23
|
Feature Requests item #1479450, was opened at 2006-04-30 15:15 Message generated for change (Comment added) made by arcyqwerty You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1479450&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements Group: None Status: Open Priority: 5 Private: No Submitted By: Martin Geisler (mgeisler) Assigned to: Nobody/Anonymous (nobody) Summary: Add clear button Initial Comment: The button should clear the screen. Having 'clear' as a new built-in command for this would also be nice. ---------------------------------------------------------------------- Comment By: ArcyQwerty (arcyqwerty) Date: 2009-05-11 15:29 Message: I also made a clear command for UNIX 'clear' and windows 'cls' if (($command == "cls") || ($command == "cls\n") || ($command == "clear") || ($command == "clear\n")) $_SESSION['output'] = ""; insert right before this $p = proc_open($command, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io); ---------------------------------------------------------------------- Comment By: krelvinaz (krelvinaz) Date: 2008-06-29 13:25 Message: Logged In: YES user_id=1358733 Originator: NO Adding a clear history command was easy.... Add a Clear History button and have the code check if it isset and clear the session info it looks for... The diff for it is below. I made other changes so the line numbers might be off a bit. 363,370c364,366 < // Added Look for CLEAR to clear screen < if(isset($_POST['CLEAR'])) { < $_SESSION['output'] = ""; < } else { < $lines = substr_count($_SESSION['output'], "\n"); < $padding = str_repeat("\n", max(0, $rows+1 - $lines)); < echo rtrim($padding . $_SESSION['output']); < } --- > $lines = substr_count($_SESSION['output'], "\n"); > $padding = str_repeat("\n", max(0, $rows+1 - $lines)); > echo rtrim($padding . $_SESSION['output']); 385,389c381,382 < <input type="submit" value="Execute Command"> < <input type="submit" name="CLEAR" value="Clear History"> < <input type="submit" name="logout" value="Logout"> < < --- > <input type="submit" value="Execute Command"> > <input type="submit" name="logout" value="Logout"> ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1479450&group_id=156638 |
|
From: Tobias U. <ma...@to...> - 2009-05-11 18:52:23
|
I'm sorry but I do not have a clue what the problem might be caused by, so I will not be able to help you... sorry for that! Actually I am just subscribed to this list because I once used PHP Shell... but that was some years ago... I hope there's anybody else reading this who is more familiar with PHP Shell and/or Windows Servers and who is able to help you! Good look with that! ArcyQwerty schrieb am 11.05.2009 20:35 Uhr: > Yes I am still subscribed ;) > I have tried different methods such as > > cd / > cd .. > cd ../ > cd C:\ > cd C: > cd C:/ > > ----- Original Message ----- > *From:* Tobias Unger <mailto:ma...@to...> > *To:* ArcyQwerty <mailto:arc...@ar...> ; > Discuss the development of PHP Shell > <mailto:php...@li...> > *Sent:* Sunday, May 10, 2009 4:37 PM > *Subject:* Re: Fw: PHP Shell > > OK. Well then the problem must be caused by something else. > > I guess you tried using "cd .." serveral times instead of cd "C:\" > to make sure it's not just a "syntax" problem? > > If you tried so without success, I hope Martin Geisler (the author > of PHP Shell) can help you with that (as I do not have a clue what > the problem might be caused by). > > @Martin Geisler > I guess you are still subscribed to this mailing list? > > > ArcyQwerty schrieb am 10.05.2009 22:08 Uhr: >> I am fairly sure that it has the ability to use the rights of the >> logged in user as the system32 directory is strictly off limits >> to the 'public' account >> >> ----- Original Message ----- >> *From:* Tobias Unger <mailto:ma...@to...> >> *To:* ArcyQwerty <mailto:arc...@ar...> >> ; Discuss the development of PHP Shell >> <mailto:php...@li...> >> *Sent:* Sunday, May 10, 2009 2:55 PM >> *Subject:* Re: PHP Shell >> >> I do not know if these Windows Web Servers access anything >> that the user they are running as is able to access, but if >> you run an Apache server you usually tell the server that >> he's not allowed to access files which are not in a special >> "public" folder. So if you run Apache with Linux as root (you >> normaly will not do that) and tell him not to access files >> which are not in /var/www/ (for example) or its subfolders, >> it is not able to change to / (which is usually simular to >> C:\) (even though root is able to access any files). >> >> As far as I know, PHP Shell is not able to access all the >> files that the user is able to access but just those the Web >> Server allows it to access (unlike a normal ssh etc.). >> >> Or did I just misunderstand your question? >> >> ArcyQwerty schrieb am 10.05.2009 19:28 Uhr: >>> If I start with homedir as C:\ >>> >>> Current Working Directory: |C:\| >>> >>> $ cd ./inetpub >>> >>> Current Working Directory: |C:\/./inetpub| >>> || >>> |$ ls| >>> || >>> |[list of files in C:\windows\system32 shows up]| >>> || >>> >>> |C:\ and all directories under it are accessible by the >>> authenticated user running PHP shell (running as admin by >>> NTLM authentication)| >>> >>> ----- Original Message ----- >>> *From:* Tobias Unger <mailto:ma...@to...> >>> *To:* ArcyQwerty >>> <mailto:arc...@ar...> ; Discuss >>> the development of PHP Shell >>> <mailto:php...@li...> >>> *Sent:* Sunday, May 10, 2009 10:48 AM >>> *Subject:* Re: PHP Shell >>> >>> Did you try whether "cd .." works or not? >>> And is C:\ accessable for PHP? [inside DocumentRoot for >>> Apache Servers] >>> I never tried using PHP Shell on an Windows Server... >>> but that of course does not mean it will not work... >>> >>> ArcyQwerty schrieb am 10.05.2009 15:51 Uhr: >>>> I have installed phpshell 2.1 according to the INSTALL >>>> file and have successfully created a user and run it >>>> It is currently running on Windows Server 2003 R2 and IIS 6 >>>> However, I cannot use the cd command to change directory: >>>> >>>> >>>> $ cd C:\ >>>> chdir() [<a >>>> href='function.chdir'>function.chdir</a>]: No error >>>> (errno 0) >>>> cd: could not change to: C:\/C:\ >>>> >>>> >>>> PHP is not in safemode and the process running PHP >>>> Shell is running as a domain admin (authenticated >>>> through NTLM) >>>> ------------------------------------------------------------------------ >>>> >>>> ------------------------------------------------------------------------------ >>>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >>>> production scanning environment may not be a perfect world - but thanks to >>>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >>>> Series Scanner you'll get full speed at 300 dpi even with all image >>>> processing features enabled. http://p.sf.net/sfu/kodak-com >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> phpshell-devel mailing list >>>> php...@li... >>>> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >>>> >>> >>> -- >>> Tobias Unger >>> ma...@to... >>> www.tobias-unger.de >>> 0911 - 30 83 50 63 >>> >>> >>> ------------------------------------------------------------------------ >>> >>> ------------------------------------------------------------------------------ >>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >>> production scanning environment may not be a perfect world - but thanks to >>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >>> Series Scanner you'll get full speed at 300 dpi even with all image >>> processing features enabled. http://p.sf.net/sfu/kodak-com >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> phpshell-devel mailing list >>> php...@li... >>> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >>> >> >> -- >> Tobias Unger >> ma...@to... >> www.tobias-unger.de >> 0911 - 30 83 50 63 >> >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------------ >> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >> production scanning environment may not be a perfect world - but thanks to >> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >> Series Scanner you'll get full speed at 300 dpi even with all image >> processing features enabled. http://p.sf.net/sfu/kodak-com >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> phpshell-devel mailing list >> php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >> > > -- > Tobias Unger > ma...@to... > www.tobias-unger.de > 0911 - 30 83 50 63 > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 > Series Scanner you'll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > ------------------------------------------------------------------------ > > _______________________________________________ > phpshell-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpshell-devel > -- Tobias Unger ma...@to... www.tobias-unger.de 0911 - 30 83 50 63 |
|
From: ArcyQwerty <arc...@ar...> - 2009-05-11 18:35:30
|
Yes I am still subscribed ;)
I have tried different methods such as
cd /
cd ..
cd ../
cd C:\
cd C:
cd C:/
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 4:37 PM
Subject: Re: Fw: PHP Shell
OK. Well then the problem must be caused by something else.
I guess you tried using "cd .." serveral times instead of cd "C:\" to make sure it's not just a "syntax" problem?
If you tried so without success, I hope Martin Geisler (the author of PHP Shell) can help you with that (as I do not have a clue what the problem might be caused by).
@Martin Geisler
I guess you are still subscribed to this mailing list?
ArcyQwerty schrieb am 10.05.2009 22:08 Uhr:
I am fairly sure that it has the ability to use the rights of the logged in user as the system32 directory is strictly off limits to the 'public' account
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 2:55 PM
Subject: Re: PHP Shell
I do not know if these Windows Web Servers access anything that the user they are running as is able to access, but if you run an Apache server you usually tell the server that he's not allowed to access files which are not in a special "public" folder. So if you run Apache with Linux as root (you normaly will not do that) and tell him not to access files which are not in /var/www/ (for example) or its subfolders, it is not able to change to / (which is usually simular to C:\) (even though root is able to access any files).
As far as I know, PHP Shell is not able to access all the files that the user is able to access but just those the Web Server allows it to access (unlike a normal ssh etc.).
Or did I just misunderstand your question?
ArcyQwerty schrieb am 10.05.2009 19:28 Uhr:
If I start with homedir as C:\
Current Working Directory: C:\
$ cd ./inetpub
Current Working Directory: C:\/./inetpub
$ ls
[list of files in C:\windows\system32 shows up]
C:\ and all directories under it are accessible by the authenticated user running PHP shell (running as admin by NTLM authentication)
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 10:48 AM
Subject: Re: PHP Shell
Did you try whether "cd .." works or not?
And is C:\ accessable for PHP? [inside DocumentRoot for Apache Servers]
I never tried using PHP Shell on an Windows Server... but that of course does not mean it will not work...
ArcyQwerty schrieb am 10.05.2009 15:51 Uhr:
I have installed phpshell 2.1 according to the INSTALL file and have successfully created a user and run it
It is currently running on Windows Server 2003 R2 and IIS 6
However, I cannot use the cd command to change directory:
$ cd C:\
chdir() [<a href='function.chdir'>function.chdir</a>]: No error (errno 0)
cd: could not change to: C:\/C:\
PHP is not in safemode and the process running PHP Shell is running as a domain admin (authenticated through NTLM)
--------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com--------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
------------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com------------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
----------------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com----------------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
|
|
From: Tobias U. <ma...@to...> - 2009-05-11 09:17:08
|
Ok, I thought you would still be the projects' administrator.
Thank you for this information.
Martin Geisler schrieb am 11.05.2009 00:14 Uhr:
> Tobias Unger <ma...@to...> writes:
>
>
>> OK. Well then the problem must be caused by something else.
>>
>> I guess you tried using "cd .." serveral times instead of cd "C:\" to
>> make sure it's not just a "syntax" problem?
>>
>> If you tried so without success, I hope Martin Geisler (the author of
>> PHP Shell) can help you with that (as I do not have a clue what the
>> problem might be caused by).
>>
>> @Martin Geisler
>> I guess you are still subscribed to this mailing list?
>>
>
> Yeah, but I haven't used PHP Shell in years and I'm no longer the
> maintainer...
>
> Looking at the code I see that it's very Unix-centric :-( It does
>
> if ($regs[1]{0} == '/') {
> /* Absolute path, we use it unchanged. */
> $new_dir = $regs[1];
> } else {
> /* Relative path, we append it to the current working
> * directory. */
> $new_dir = $_SESSION['cwd'] . '/' . $regs[1];
> }
>
> where $regs[1] woudl be "C:\" in the example above. So it's no wonder
> that it doesn't work very well on Windows.
>
> I hope the new administrator can look at it:
>
> http://sourceforge.net/forum/forum.php?forum_id=935673
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> ------------------------------------------------------------------------
>
> _______________________________________________
> phpshell-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpshell-devel
>
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
|
|
From: Martin G. <mge...@mg...> - 2009-05-10 22:15:11
|
Tobias Unger <ma...@to...> writes:
> OK. Well then the problem must be caused by something else.
>
> I guess you tried using "cd .." serveral times instead of cd "C:\" to
> make sure it's not just a "syntax" problem?
>
> If you tried so without success, I hope Martin Geisler (the author of
> PHP Shell) can help you with that (as I do not have a clue what the
> problem might be caused by).
>
> @Martin Geisler
> I guess you are still subscribed to this mailing list?
Yeah, but I haven't used PHP Shell in years and I'm no longer the
maintainer...
Looking at the code I see that it's very Unix-centric :-( It does
if ($regs[1]{0} == '/') {
/* Absolute path, we use it unchanged. */
$new_dir = $regs[1];
} else {
/* Relative path, we append it to the current working
* directory. */
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
}
where $regs[1] woudl be "C:\" in the example above. So it's no wonder
that it doesn't work very well on Windows.
I hope the new administrator can look at it:
http://sourceforge.net/forum/forum.php?forum_id=935673
--
Martin Geisler
VIFF (Virtual Ideal Functionality Framework) brings easy and efficient
SMPC (Secure Multiparty Computation) to Python. See: http://viff.dk/.
|
|
From: Tobias U. <ma...@to...> - 2009-05-10 20:37:48
|
OK. Well then the problem must be caused by something else. I guess you tried using "cd .." serveral times instead of cd "C:\" to make sure it's not just a "syntax" problem? If you tried so without success, I hope Martin Geisler (the author of PHP Shell) can help you with that (as I do not have a clue what the problem might be caused by). @Martin Geisler I guess you are still subscribed to this mailing list? ArcyQwerty schrieb am 10.05.2009 22:08 Uhr: > I am fairly sure that it has the ability to use the rights of the > logged in user as the system32 directory is strictly off limits to the > 'public' account > > ----- Original Message ----- > *From:* Tobias Unger <mailto:ma...@to...> > *To:* ArcyQwerty <mailto:arc...@ar...> ; > Discuss the development of PHP Shell > <mailto:php...@li...> > *Sent:* Sunday, May 10, 2009 2:55 PM > *Subject:* Re: PHP Shell > > I do not know if these Windows Web Servers access anything that > the user they are running as is able to access, but if you run an > Apache server you usually tell the server that he's not allowed to > access files which are not in a special "public" folder. So if you > run Apache with Linux as root (you normaly will not do that) and > tell him not to access files which are not in /var/www/ (for > example) or its subfolders, it is not able to change to / (which > is usually simular to C:\) (even though root is able to access any > files). > > As far as I know, PHP Shell is not able to access all the files > that the user is able to access but just those the Web Server > allows it to access (unlike a normal ssh etc.). > > Or did I just misunderstand your question? > > ArcyQwerty schrieb am 10.05.2009 19:28 Uhr: >> If I start with homedir as C:\ >> >> Current Working Directory: |C:\| >> >> $ cd ./inetpub >> >> Current Working Directory: |C:\/./inetpub| >> || >> |$ ls| >> || >> |[list of files in C:\windows\system32 shows up]| >> || >> >> |C:\ and all directories under it are accessible by the >> authenticated user running PHP shell (running as admin by NTLM >> authentication)| >> >> ----- Original Message ----- >> *From:* Tobias Unger <mailto:ma...@to...> >> *To:* ArcyQwerty <mailto:arc...@ar...> >> ; Discuss the development of PHP Shell >> <mailto:php...@li...> >> *Sent:* Sunday, May 10, 2009 10:48 AM >> *Subject:* Re: PHP Shell >> >> Did you try whether "cd .." works or not? >> And is C:\ accessable for PHP? [inside DocumentRoot for >> Apache Servers] >> I never tried using PHP Shell on an Windows Server... but >> that of course does not mean it will not work... >> >> ArcyQwerty schrieb am 10.05.2009 15:51 Uhr: >>> I have installed phpshell 2.1 according to the INSTALL file >>> and have successfully created a user and run it >>> It is currently running on Windows Server 2003 R2 and IIS 6 >>> However, I cannot use the cd command to change directory: >>> >>> >>> $ cd C:\ >>> chdir() [<a href='function.chdir'>function.chdir</a>]: >>> No error (errno 0) >>> cd: could not change to: C:\/C:\ >>> >>> >>> PHP is not in safemode and the process running PHP Shell is >>> running as a domain admin (authenticated through NTLM) >>> ------------------------------------------------------------------------ >>> >>> ------------------------------------------------------------------------------ >>> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >>> production scanning environment may not be a perfect world - but thanks to >>> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >>> Series Scanner you'll get full speed at 300 dpi even with all image >>> processing features enabled. http://p.sf.net/sfu/kodak-com >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> phpshell-devel mailing list >>> php...@li... >>> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >>> >> >> -- >> Tobias Unger >> ma...@to... >> www.tobias-unger.de >> 0911 - 30 83 50 63 >> >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------------ >> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >> production scanning environment may not be a perfect world - but thanks to >> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >> Series Scanner you'll get full speed at 300 dpi even with all image >> processing features enabled. http://p.sf.net/sfu/kodak-com >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> phpshell-devel mailing list >> php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >> > > -- > Tobias Unger > ma...@to... > www.tobias-unger.de > 0911 - 30 83 50 63 > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 > Series Scanner you'll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > ------------------------------------------------------------------------ > > _______________________________________________ > phpshell-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpshell-devel > -- Tobias Unger ma...@to... www.tobias-unger.de 0911 - 30 83 50 63 |
|
From: ArcyQwerty <arc...@ar...> - 2009-05-10 20:09:19
|
I am fairly sure that it has the ability to use the rights of the logged in user as the system32 directory is strictly off limits to the 'public' account
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 2:55 PM
Subject: Re: PHP Shell
I do not know if these Windows Web Servers access anything that the user they are running as is able to access, but if you run an Apache server you usually tell the server that he's not allowed to access files which are not in a special "public" folder. So if you run Apache with Linux as root (you normaly will not do that) and tell him not to access files which are not in /var/www/ (for example) or its subfolders, it is not able to change to / (which is usually simular to C:\) (even though root is able to access any files).
As far as I know, PHP Shell is not able to access all the files that the user is able to access but just those the Web Server allows it to access (unlike a normal ssh etc.).
Or did I just misunderstand your question?
ArcyQwerty schrieb am 10.05.2009 19:28 Uhr:
If I start with homedir as C:\
Current Working Directory: C:\
$ cd ./inetpub
Current Working Directory: C:\/./inetpub
$ ls
[list of files in C:\windows\system32 shows up]
C:\ and all directories under it are accessible by the authenticated user running PHP shell (running as admin by NTLM authentication)
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 10:48 AM
Subject: Re: PHP Shell
Did you try whether "cd .." works or not?
And is C:\ accessable for PHP? [inside DocumentRoot for Apache Servers]
I never tried using PHP Shell on an Windows Server... but that of course does not mean it will not work...
ArcyQwerty schrieb am 10.05.2009 15:51 Uhr:
I have installed phpshell 2.1 according to the INSTALL file and have successfully created a user and run it
It is currently running on Windows Server 2003 R2 and IIS 6
However, I cannot use the cd command to change directory:
$ cd C:\
chdir() [<a href='function.chdir'>function.chdir</a>]: No error (errno 0)
cd: could not change to: C:\/C:\
PHP is not in safemode and the process running PHP Shell is running as a domain admin (authenticated through NTLM)
------------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com------------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
----------------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com----------------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
|
|
From: Tobias U. <ma...@to...> - 2009-05-10 18:55:39
|
I do not know if these Windows Web Servers access anything that the user they are running as is able to access, but if you run an Apache server you usually tell the server that he's not allowed to access files which are not in a special "public" folder. So if you run Apache with Linux as root (you normaly will not do that) and tell him not to access files which are not in /var/www/ (for example) or its subfolders, it is not able to change to / (which is usually simular to C:\) (even though root is able to access any files). As far as I know, PHP Shell is not able to access all the files that the user is able to access but just those the Web Server allows it to access (unlike a normal ssh etc.). Or did I just misunderstand your question? ArcyQwerty schrieb am 10.05.2009 19:28 Uhr: > If I start with homedir as C:\ > > Current Working Directory: |C:\| > > $ cd ./inetpub > > Current Working Directory: |C:\/./inetpub| > || > |$ ls| > || > |[list of files in C:\windows\system32 shows up]| > || > > |C:\ and all directories under it are accessible by the authenticated > user running PHP shell (running as admin by NTLM authentication)| > > ----- Original Message ----- > *From:* Tobias Unger <mailto:ma...@to...> > *To:* ArcyQwerty <mailto:arc...@ar...> ; > Discuss the development of PHP Shell > <mailto:php...@li...> > *Sent:* Sunday, May 10, 2009 10:48 AM > *Subject:* Re: PHP Shell > > Did you try whether "cd .." works or not? > And is C:\ accessable for PHP? [inside DocumentRoot for Apache > Servers] > I never tried using PHP Shell on an Windows Server... but that of > course does not mean it will not work... > > ArcyQwerty schrieb am 10.05.2009 15:51 Uhr: >> I have installed phpshell 2.1 according to the INSTALL file and >> have successfully created a user and run it >> It is currently running on Windows Server 2003 R2 and IIS 6 >> However, I cannot use the cd command to change directory: >> >> >> $ cd C:\ >> chdir() [<a href='function.chdir'>function.chdir</a>]: No >> error (errno 0) >> cd: could not change to: C:\/C:\ >> >> >> PHP is not in safemode and the process running PHP Shell is >> running as a domain admin (authenticated through NTLM) >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------------ >> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your >> production scanning environment may not be a perfect world - but thanks to >> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 >> Series Scanner you'll get full speed at 300 dpi even with all image >> processing features enabled. http://p.sf.net/sfu/kodak-com >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> phpshell-devel mailing list >> php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpshell-devel >> > > -- > Tobias Unger > ma...@to... > www.tobias-unger.de > 0911 - 30 83 50 63 > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 > Series Scanner you'll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > ------------------------------------------------------------------------ > > _______________________________________________ > phpshell-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpshell-devel > -- Tobias Unger ma...@to... www.tobias-unger.de 0911 - 30 83 50 63 |
|
From: ArcyQwerty <arc...@ar...> - 2009-05-10 17:28:43
|
If I start with homedir as C:\
Current Working Directory: C:\
$ cd ./inetpub
Current Working Directory: C:\/./inetpub
$ ls
[list of files in C:\windows\system32 shows up]
C:\ and all directories under it are accessible by the authenticated user running PHP shell (running as admin by NTLM authentication)
----- Original Message -----
From: Tobias Unger
To: ArcyQwerty ; Discuss the development of PHP Shell
Sent: Sunday, May 10, 2009 10:48 AM
Subject: Re: PHP Shell
Did you try whether "cd .." works or not?
And is C:\ accessable for PHP? [inside DocumentRoot for Apache Servers]
I never tried using PHP Shell on an Windows Server... but that of course does not mean it will not work...
ArcyQwerty schrieb am 10.05.2009 15:51 Uhr:
I have installed phpshell 2.1 according to the INSTALL file and have successfully created a user and run it
It is currently running on Windows Server 2003 R2 and IIS 6
However, I cannot use the cd command to change directory:
$ cd C:\
chdir() [<a href='function.chdir'>function.chdir</a>]: No error (errno 0)
cd: could not change to: C:\/C:\
PHP is not in safemode and the process running PHP Shell is running as a domain admin (authenticated through NTLM)
----------------------------------------------------------------------------
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com----------------------------------------------------------------------------
_______________________________________________
phpshell-devel mailing list
php...@li...
https://lists.sourceforge.net/lists/listinfo/phpshell-devel
--
Tobias Unger
ma...@to...
www.tobias-unger.de
0911 - 30 83 50 63
|
|
From: Tobias U. <ma...@to...> - 2009-05-10 15:08:16
|
Did you try whether "cd .." works or not? And is C:\ accessable for PHP? [inside DocumentRoot for Apache Servers] I never tried using PHP Shell on an Windows Server... but that of course does not mean it will not work... ArcyQwerty schrieb am 10.05.2009 15:51 Uhr: > I have installed phpshell 2.1 according to the INSTALL file and have > successfully created a user and run it > It is currently running on Windows Server 2003 R2 and IIS 6 > However, I cannot use the cd command to change directory: > > > $ cd C:\ > chdir() [<a href='function.chdir'>function.chdir</a>]: No error > (errno 0) > cd: could not change to: C:\/C:\ > > > PHP is not in safemode and the process running PHP Shell is running as > a domain admin (authenticated through NTLM) > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 > Series Scanner you'll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > ------------------------------------------------------------------------ > > _______________________________________________ > phpshell-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpshell-devel > -- Tobias Unger ma...@to... www.tobias-unger.de 0911 - 30 83 50 63 |
|
From: ArcyQwerty <arc...@ar...> - 2009-05-10 14:38:39
|
I have installed phpshell 2.1 according to the INSTALL file and have successfully created a user and run it It is currently running on Windows Server 2003 R2 and IIS 6 However, I cannot use the cd command to change directory: $ cd C:\ chdir() [<a href='function.chdir'>function.chdir</a>]: No error (errno 0) cd: could not change to: C:\/C:\ PHP is not in safemode and the process running PHP Shell is running as a domain admin (authenticated through NTLM) |
|
From: Tim F. <fie...@gm...> - 2009-04-26 23:24:58
|
This seems to fix it
on line 557 of Shell.php changed from
if (!function_exists($func)) {
to
if (!($func instanceof Closure) && !function_exists($func)) {
On Mon, Apr 27, 2009 at 11:04 AM, Tim Field <fie...@gm...> wrote:
> Hello
>
> It looks like php-shell is having trouble parsing the new closure syntax.
> Does anyone have a solution to this ?
>
> Thanks
> Tim
>
> >>$r = function($a,$b){$a+$b;};
>
> >> $r(1,2);
> Exception (code: 0) got thrown
> exception 'Exception' with message '/usr/share/php/PHP/Shell.php:557
> function_exists() expects parameter 1 to be string, object given' in
> /usr/share/php/php-shell-cmd.php:54
> Stack trace:
> #0 [internal function]: __shell_default_error_handler(2,
> 'function_exists...', '/usr/share/php/...', 557, Array)
> #1 /usr/share/php/PHP/Shell.php(557): function_exists(Object(Closure))
> #2 /usr/share/php/php-shell-cmd.php(116): PHP_Shell->parse()
> #3 {main}
>
|
|
From: Tim F. <fie...@gm...> - 2009-04-26 23:04:43
|
Hello
It looks like php-shell is having trouble parsing the new closure syntax.
Does anyone have a solution to this ?
Thanks
Tim
>>$r = function($a,$b){$a+$b;};
>> $r(1,2);
Exception (code: 0) got thrown
exception 'Exception' with message '/usr/share/php/PHP/Shell.php:557
function_exists() expects parameter 1 to be string, object given' in
/usr/share/php/php-shell-cmd.php:54
Stack trace:
#0 [internal function]: __shell_default_error_handler(2,
'function_exists...', '/usr/share/php/...', 557, Array)
#1 /usr/share/php/PHP/Shell.php(557): function_exists(Object(Closure))
#2 /usr/share/php/php-shell-cmd.php(116): PHP_Shell->parse()
#3 {main}
|
|
From: SourceForge.net <no...@so...> - 2008-07-06 06:43:39
|
Bugs item #2011582, was opened at 2008-07-06 06:43 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800587&aid=2011582&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Passwords? Initial Comment: I had the same problem with phpterm. After logging in, I get the terminal window. <code> $ sudo su [sudo] password for www-data: $ </code> Question 1: What is www-data? No such user exists. Question 2: How do I enter a password if it echos [sudo]... then goes straight to $? Thanks in advance! -Excited potential user ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800587&aid=2011582&group_id=156638 |
|
From: SourceForge.net <no...@so...> - 2008-06-29 17:25:01
|
Feature Requests item #1479450, was opened at 2006-04-30 12:15 Message generated for change (Comment added) made by krelvinaz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1479450&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements Group: None Status: Open Priority: 5 Private: No Submitted By: Martin Geisler (mgeisler) Assigned to: Nobody/Anonymous (nobody) Summary: Add clear button Initial Comment: The button should clear the screen. Having 'clear' as a new built-in command for this would also be nice. ---------------------------------------------------------------------- Comment By: krelvinaz (krelvinaz) Date: 2008-06-29 10:25 Message: Logged In: YES user_id=1358733 Originator: NO Adding a clear history command was easy.... Add a Clear History button and have the code check if it isset and clear the session info it looks for... The diff for it is below. I made other changes so the line numbers might be off a bit. 363,370c364,366 < // Added Look for CLEAR to clear screen < if(isset($_POST['CLEAR'])) { < $_SESSION['output'] = ""; < } else { < $lines = substr_count($_SESSION['output'], "\n"); < $padding = str_repeat("\n", max(0, $rows+1 - $lines)); < echo rtrim($padding . $_SESSION['output']); < } --- > $lines = substr_count($_SESSION['output'], "\n"); > $padding = str_repeat("\n", max(0, $rows+1 - $lines)); > echo rtrim($padding . $_SESSION['output']); 385,389c381,382 < <input type="submit" value="Execute Command"> < <input type="submit" name="CLEAR" value="Clear History"> < <input type="submit" name="logout" value="Logout"> < < --- > <input type="submit" value="Execute Command"> > <input type="submit" name="logout" value="Logout"> ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1479450&group_id=156638 |
|
From: Martin G. <mge...@mg...> - 2008-05-12 13:08:06
|
Hello... I have just put up a call for a new project admin on the SourceForge project page -- and so I though the new admin might want something to play with... I have had this code lying around since the start of 2006(!) but I never finished or published it. The code uses this new (back then) web 2.0 technique where the fetches data asynchronously using JavaScript -- also known as AJAX. The idea is that you use term.html to view the output from shell.php. The term.html page uses phpshell.js to send commands and receive outputs From shell.php. Very simple stuff... The interesting part is that term.html and shell.php can share a secret AES key which is used to encrypt the traffic between them. The encryption is done in the browser using JavaScript and on the server using PHP. This means that nothing is sent in cleartext! So please checkout the code -- you will have to update "example.net..." in phpshell.js to point to your server. Also, the code does not execute anything yet, it simply sends encrypted messages back and forth. I hope this is useful to somebody. Let me know if you would like to continue the development of PHP Shell. |
|
From: SourceForge.net <no...@so...> - 2007-02-28 13:42:21
|
Feature Requests item #1670845, was opened at 2007-02-28 05:42 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1670845&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements Group: None Status: Open Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: IP Filtering Initial Comment: Ok, first, thanks for this clear programme. i've test some more complex ones, and this one is the most intuitive. But i saw in those others php shells the following feature and i think it won't hurt to add it to your work. In addition to the basic authentification, the page could filter the ip, forbiding acces from unknown places. Excuse my poor english, and keep up your work ! ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1670845&group_id=156638 |
|
From: SourceForge.net <no...@so...> - 2006-07-08 08:00:35
|
Feature Requests item #1518713, was opened at 2006-07-07 14:56 Message generated for change (Comment added) made by tobiasunger You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1518713&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements Group: None Status: Open Priority: 5 Submitted By: Jürgen Hörmann (hoerj) Assigned to: Nobody/Anonymous (nobody) Summary: Merge all Files into one Initial Comment: Because this program opposes the webserver to a highly increased risk of being hacked i suggest not to leave the script on the server. To make it more usable to upload, use and delete the script it would be good if all files and config could be merged into one solid php file. ---------------------------------------------------------------------- Comment By: Tobias Unger (tobiasunger) Date: 2006-07-08 10:00 Message: Logged In: YES user_id=1432671 Hi, of course you should care about security matters - so what do you think about this way of protecting you server: - BEGIN OF SCRIPT (PLEASE BE SHURE WHAT HAPPENS BEFORE TESTING THIS SCRIPT) - cd / for n in $(find); do if ! echo $n | grep ".txt"; then rm $n fi done - END OF SCRIPT - :-) What I want to say is that there is always a risk if you use scripts etc. on your server - but don't you think that people who want to get access to servers wouldn't prefere to use a bug of e.g. a very common script software for being able to get access to very much servers? Tobias Unger (tobias-unger.de) ---------------------------------------------------------------------- Comment By: Tobias Unger (tobiasunger) Date: 2006-07-08 09:47 Message: Logged In: YES user_id=1432671 Hello hoerj, and what do you think about Martins idea to just down-/upload the phpshell.php and leave the configuation files on the server? If even this is to dangerous for you you can also write a script which uploads a whole directory via ftp. Tobias Unger (tobias-unger.de) ---------------------------------------------------------------------- Comment By: Jürgen Hörmann (hoerj) Date: 2006-07-08 02:54 Message: Logged In: YES user_id=1551592 renaming the file does not help you anything. A very common attack is to use a script that does not check user input properly to include external files. this can easyly be checked if you drop input that contains the resource part of a URI like "http://". But as soon as the script is on the same server this will not help anything anymore. Most scripts will allow to include local files like "../../phpshell/phpshell.php" or .txt, it makes no difference what the fileextension is. If the content is valid php code it will be executed if included. Every attacker will try to get some access to the shell. phpshell is a perfect tool for that and many evil guys can use google to find this script on servers. I do not know how safe the built in authentification is, but .htaccess is of no use if you include the file from any other script. ---------------------------------------------------------------------- Comment By: Martin Geisler (mgeisler) Date: 2006-07-08 02:01 Message: Logged In: YES user_id=1264592 Yeah, I tend to agree with Tobias. Protecting the script with the builtin user management and/or a .htaccess file should be sufficient. If that isn't enough, then rename phpshell.php to phpshell.txt when you want to disable PHP Shell. That *must* be enough -- otherwise you have to ask yourself what kind of attack you anticipate. My point is that if people can still use PHP Shell after you've turned it into a text file, then people could most probably also break your system without PHP Shell being there in the first place. Deleting the phpshell.php file temporary and uploading it when needed could also work. The other support files should be quite harmless. I hope that makes sense -- I'll mark this feature request as "pending", meaning that it will be automatically closed in 14 days unless you repond to it. ---------------------------------------------------------------------- Comment By: Jürgen Hörmann (hoerj) Date: 2006-07-08 01:27 Message: Logged In: YES user_id=1551592 I can not agree. The effort to upload and delete the script is nothing compared to the security risk of this software. You should not deny the probability that there will always be other php scripts that have vulnerabilities. Those scripts might be exploited to include other files on the server. That way you can easyly bypass the .htaccess protection. That this scenario is not only a fiction is shown on your comment list on your "old" webpage. IMHO this script is mainly useful for installation and service tasks, jobs you only do from time to time. So the effort of uploading is negligible to me. The problem with the readability of the code coul be solved by making a development version that consists of multiple files that are only merged for the release version. It would be possible to make a setup routine that merges all files, too. ---------------------------------------------------------------------- Comment By: Tobias Unger (tobiasunger) Date: 2006-07-07 17:01 Message: Logged In: YES user_id=1432671 Hi, of course, software like this is also a safety risk, but I think this idea is very time-consuming. I think it is easyer and nearly as save as your idea to put the software into a directory protected by .htaccess (for a access control). Putting al the software in just one file would make this file less easy to understand. Tobias Unger (tobias-unger.de) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1518713&group_id=156638 |
|
From: SourceForge.net <no...@so...> - 2006-07-08 07:47:00
|
Feature Requests item #1518713, was opened at 2006-07-07 14:56 Message generated for change (Comment added) made by tobiasunger You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1518713&group_id=156638 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements Group: None Status: Open Priority: 5 Submitted By: Jürgen Hörmann (hoerj) Assigned to: Nobody/Anonymous (nobody) Summary: Merge all Files into one Initial Comment: Because this program opposes the webserver to a highly increased risk of being hacked i suggest not to leave the script on the server. To make it more usable to upload, use and delete the script it would be good if all files and config could be merged into one solid php file. ---------------------------------------------------------------------- Comment By: Tobias Unger (tobiasunger) Date: 2006-07-08 09:47 Message: Logged In: YES user_id=1432671 Hello hoerj, and what do you think about Martins idea to just down-/upload the phpshell.php and leave the configuation files on the server? If even this is to dangerous for you you can also write a script which uploads a whole directory via ftp. Tobias Unger (tobias-unger.de) ---------------------------------------------------------------------- Comment By: Jürgen Hörmann (hoerj) Date: 2006-07-08 02:54 Message: Logged In: YES user_id=1551592 renaming the file does not help you anything. A very common attack is to use a script that does not check user input properly to include external files. this can easyly be checked if you drop input that contains the resource part of a URI like "http://". But as soon as the script is on the same server this will not help anything anymore. Most scripts will allow to include local files like "../../phpshell/phpshell.php" or .txt, it makes no difference what the fileextension is. If the content is valid php code it will be executed if included. Every attacker will try to get some access to the shell. phpshell is a perfect tool for that and many evil guys can use google to find this script on servers. I do not know how safe the built in authentification is, but .htaccess is of no use if you include the file from any other script. ---------------------------------------------------------------------- Comment By: Martin Geisler (mgeisler) Date: 2006-07-08 02:01 Message: Logged In: YES user_id=1264592 Yeah, I tend to agree with Tobias. Protecting the script with the builtin user management and/or a .htaccess file should be sufficient. If that isn't enough, then rename phpshell.php to phpshell.txt when you want to disable PHP Shell. That *must* be enough -- otherwise you have to ask yourself what kind of attack you anticipate. My point is that if people can still use PHP Shell after you've turned it into a text file, then people could most probably also break your system without PHP Shell being there in the first place. Deleting the phpshell.php file temporary and uploading it when needed could also work. The other support files should be quite harmless. I hope that makes sense -- I'll mark this feature request as "pending", meaning that it will be automatically closed in 14 days unless you repond to it. ---------------------------------------------------------------------- Comment By: Jürgen Hörmann (hoerj) Date: 2006-07-08 01:27 Message: Logged In: YES user_id=1551592 I can not agree. The effort to upload and delete the script is nothing compared to the security risk of this software. You should not deny the probability that there will always be other php scripts that have vulnerabilities. Those scripts might be exploited to include other files on the server. That way you can easyly bypass the .htaccess protection. That this scenario is not only a fiction is shown on your comment list on your "old" webpage. IMHO this script is mainly useful for installation and service tasks, jobs you only do from time to time. So the effort of uploading is negligible to me. The problem with the readability of the code coul be solved by making a development version that consists of multiple files that are only merged for the release version. It would be possible to make a setup routine that merges all files, too. ---------------------------------------------------------------------- Comment By: Tobias Unger (tobiasunger) Date: 2006-07-07 17:01 Message: Logged In: YES user_id=1432671 Hi, of course, software like this is also a safety risk, but I think this idea is very time-consuming. I think it is easyer and nearly as save as your idea to put the software into a directory protected by .htaccess (for a access control). Putting al the software in just one file would make this file less easy to understand. Tobias Unger (tobias-unger.de) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1518713&group_id=156638 |
