Liam MacKenzie wrote:

>permission to create tables in other databases, but the can 
>still browse them and view the information.
I do not know MySQL but I'd be very surprised if this was not a database 
creation/configuration issue. In postgres, unless given permission, I 
cannot even connect to someone else's database.

>Any the example I used for the named.conf was a bad one.  
>They cannot delete this, but they can view it's contents.  How 
>can I restrict all PHP functions to
>the one directory?  So if a user makes a file like this:
>include ("../../../../../../../../../etc/eXtremail/eXtremail.conf");
>Instead of printing the conf file the SMTP password in it, 
>it'll return an error.
I think this is a real general security issue, not limited to PHP. Some 
sites do not have write access to anything in cgi-bin but have some 
scripts which may be read and used. Now with perl and php, executing 
ordinary commands becomes easier.

I have an account on a webhosting (GNU Linux) computer, only ftp and web 
access and to my area only (no shell). Apache has a "document root" for 
me and I cannot go above it. The ftp access has a ftproot for me and I 
cannot go above it. Last night I ftp'ed a little perl (it does not have 
php) script into my directory, chmod to 755 and executed it (by its 
url). It did a "cat /etc/httpd/conf/httpd.conf > filename". I then 
ftp'ed it back to me. I can only read/modify files for which my 
username/group has permissions but its enough to give me all the  login 
names if I wanted them.

Used as cgi-bin type scripts perl, php (and anything else) has no 
concept of a document root, so root is the real root. A compiled C 
program uploaded can do the same.

I feel an execution parser is needed so that only certain types of 
programs may be executed and the concept of a execution root to users 
directories. Read/execute access to some things outside are necessary 

What do others on the list think? This issue must have come up before 
somewhere so is there an accepted solution and am I missing something?



PHP General Mailing List (
To unsubscribe, visit:

Reply via email to