Projects / PHP Shell / Comments

Comments for PHP Shell

26 Oct 2006 03:52 mgeisler

Re: Potential security issue


> Now, I'm not an alarmist. I'm also very

> strict about backing up everything on

> any of my own or clients' domains -

> files, databases, and so on. So a

> hacking isn't going to kill us.

> Regardless, no one wants to deal with

> the fallout!

>

> My point to commenting here is simply to

> let you know this seems to be a growing

> problem, and to suggest that there might

> be some way you could provide some

> limits within the program to prevent

> this type of use. I have no idea of

> course if that would even be possible.

You have some good points --- it's unfortunate but correct that PHP Shell has been used for finding passwords (since database passwords are written in plain text in most PHP scripts).

As for what one can do about it: run PHP as a CGI in which case I believe it assumes the real user ID of the user who own the script. Then the normal filesystem rules apply to the PHP process as well as to any other process on the system and it is then easy to restrict access to sensible files.

There might be other ways to have Apache run PHP as the correct user, but it's not something I've spend a lot of time on.

25 Oct 2006 13:31 vkaryl

Potential security issue
I use a variety of php scripts, including wordpress, cubecart, tolra web directory, etc.

Several times lately, people using those scripts have been hacked by crackers using phpshell and other similar scripts. (I haven't - I just seem to be the only person around the fora who thought it might be worthwhile to contact you....)

The modum operandum is simple: the cracker hooks up phpshell etc. to a domain on shared server space, and browses until s/he finds a database or other configuration information, then uses that from within phpshell to pry open anything they want (or so it seems from reading....)

Now, I'm not an alarmist. I'm also very strict about backing up everything on any of my own or clients' domains - files, databases, and so on. So a hacking isn't going to kill us. Regardless, no one wants to deal with the fallout!

My point to commenting here is simply to let you know this seems to be a growing problem, and to suggest that there might be some way you could provide some limits within the program to prevent this type of use. I have no idea of course if that would even be possible.

Thanks.

Screenshot

Project Spotlight

ReciJournal

An open, cross-platform journaling program.

Screenshot

Project Spotlight

Veusz

A scientific plotting package.