Hey, guys,
Apologies if I should have sent this to the dev list instead.
It seems to me that ftp_get() is a potential security hole, or maybe we've
just got it misconfigured on our system. When a script calls ftp_get() and
transfers a file, the new file on the local system (e.g. the box running php)
is owned by the webserver. Now this would make sense if the client to the
php script were doing an HTTP upload, but shouldn't an FTP transfer be
created as the user of the script?
We're running PHP 4.0.4pl1 in "safe mode" under Apache 1.3.9. Apache is
running as www/www and the script is run as John Q. User.
If this can be used to create arbitrary files as the webserver, it seems like
any legitimate user can create malicious scripts, ftp_get() them so that they
are owned by the webserver user, then run them just by surfing to the new
file. Even with safe mode and "php_admin_value docroot" set, it seems like
there'd be a variety of "attacks" a user could do, if s/he were so inclined.
I'm not a hacker (so looking at php's source wouldn't help me), but I'm a
concerned sysadmin who's suddenly very scared of the --with-ftp configure
directive.
-Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
