On Tue, 14 Aug 2001 12:06:01 +0200 impersonator of [EMAIL PROTECTED] (Soeren
Nielsen) planted &I saw in php.general:
>"Ben-Nes Michael" <[EMAIL PROTECTED]> wrote in message
>022201c12498$79178ce0$[EMAIL PROTECTED]">news:022201c12498$79178ce0$[EMAIL PROTECTED]...
>> The problem still stays if you open php to system commands like `echo
>> /etc/passwd` or using system() ....
>A problem is also that other web-programers can read your source code
>through PHP.
>An example from my page is this:
>My homepage is here: /hotel/<my domain>/WWW
>I can make a php-script that opens /hotels/<some other domain>/WWW ,
>list the files, view them, steal code from others etc etc.
>Hope what I wrote gave some sort of meaning :-)
Well. Skliar's example do confirm once again, that programmers _can_ do
illegal things, like breaking copyrihgt, stealing the code etc. But is is
responsibilities of the servers administrators to configure the system in
such a way - even if it has multiply users (which is the case for most) -
so to not allow such (and alike) sample opening occur outside of
web-server structure. And only owner/user of the site has a passworded FTP
and other access to his data outside of web-server. 

Of course passwords could be compromised, but this is an another matter.
All in all - I strongly believe - that server stuff is carriing full
responsibility for the above matter. And only the should have root access.

PS: There are servers, to my surprise, (i rent one:() that set write group
attribute for files on download by default, and then refuse executing them
on this basis, so you have to re-set attribute manually. But this alone
still doesn't allow others to read .php as source (these files can only be

Just my legal 2c i leonid.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to