Page 1 of 1

Chmod

Posted: Fri Jan 21, 2005 11:46 am
by Shendemiar
This must be utterly stupid...

If i chmod something +777, how could "other" edit my files?

Not actually a Php question, but i need to know this as a prelude to my main concern, that is php related.

Posted: Sun Jan 23, 2005 2:19 pm
by rehfeld
lets say your website is
Shendemiar.com
and im on the same host as you with the website
rehfeld.com

assuming you doc root was

/usr/path/to/Shendemiar.com/public_html/

and mine

/usr/path/to/rehfeld.com/public_html/

Code: Select all

$fp = fopen('/usr/path/to/Shendemiar.com/public_html/script.php', 'w');
if php's open_basedir is being used, that will prob fail. but i could still prob use cgi to do it.

by doing that, i could prob look at all your code, and get your db passwords, and if your also maybe doing a login and using sessions, see what session vars your setting, then write my own session file to the session.save_path dir, and then your website would grant me access.

Posted: Wed Feb 02, 2005 2:34 pm
by hawleyjr
What if your on a dedicated server?
rehfeld wrote:lets say your website is
Shendemiar.com
and im on the same host as you with the website
rehfeld.com

assuming you doc root was

/usr/path/to/Shendemiar.com/public_html/

and mine

/usr/path/to/rehfeld.com/public_html/

Code: Select all

$fp = fopen('/usr/path/to/Shendemiar.com/public_html/script.php', 'w');
if php's open_basedir is being used, that will prob fail. but i could still prob use cgi to do it.

by doing that, i could prob look at all your code, and get your db passwords, and if your also maybe doing a login and using sessions, see what session vars your setting, then write my own session file to the session.save_path dir, and then your website would grant me access.

Posted: Wed Feb 02, 2005 4:35 pm
by Shendemiar
My php runs on a safe mode/with different credentials than my unix username, preventing it do create directories. I can make directories by ftp, but then i cant upload to them by php, since a different "user" made them. For this, i just gave all rights to everyone to branch of folders that have various documents like pdf's and pictures. There's no php or passwords at all in it, so i guess there's no huge risk involved?