Ahh. I didn't really consider that. Excellent idea. Mike
On Fri, 2002-05-03 at 21:58, serj wrote: > The way I designed the script was so that each time they want to save > changes to their htaccess file through the script they have to enter their > password. So I never have to actually save the password anywhere in the > script. > > On Fri, 3 May 2002, Mike Eheler wrote: > > > The problem is not in them being able to overwrite the .htaccess *and* > > getting your FTP password.. those are the cons for both solutions we > > have presented, respectfully. > > > > Right now the ideal solution seems to be this: > > > > save new .htaccess to a temp file > > save new .htpasswd to a temp file > > use PHP's FTP routines to connect to the FTP server with your > > username/password > > delete existing .htaccess > > delete existing .htpasswd > > upload new .htaccess > > upload new .htpasswd > > close connection > > > > The biggest problem with this is that you have your FTP password in > > plain text in the script that performs this. If anyone for any reason is > > able to take advantage of some kind of exploit that allows them to view > > the source of that file, you're toast. They get ahold of your FTP > > password and have free reign on your website. > > > > I'm open to suggestions. > > > > serj wrote: > > > Being that the files are owned by their respective users, I would imagine > > > that would make it pretty difficult for the .htaccess file to be > > > overwritten, if someone found a way to overwrite the file couldn't that > > > person overwrite any file owned by the ftp user anyway? also I don't see > > > how someone being able to overwrite the .htaccess file would allow them to > > > grab the ftp password, especially if this is all transmitted over ssl. I > > > apologize, I'm not trying to start a flame war that I'm sure I'll > > > lose. But, I am working on a script that does exactly this and if I'm > > > doing it wrong perhaps I should begin recoding it. > > > > > > josh > > > > > > On Fri, 3 May 2002, Mike Eheler wrote: > > > > > > > > >>If someone can overwrite your .htaccess there's a chance they can also > > >>view files through the same exploit (possibly). They could then get your > > >>FTP login info, and do a lot more damage than just removing password > > >>access to an area. > > >> > > >>Mike > > >> > > >>Serj wrote: > > >> > > >>>Im not exactly sure why that is worse, could you elaborate a little? > > >>>Josh > > >>> > > >>>On Fri, 3 May 2002, Miguel Cruz wrote: > > >>> > > >>> > > >>> > > >>>>Thus leaving the FTP account's password in view of the httpd, which is > > >>>>even worse... > > >>>> > > >>>>miguel > > >>>> > > >>>>On Fri, 3 May 2002, serj wrote: > > >>>> > > >>>> > > >>>>>You could use fopen() to connect to the file via ftp therefore keeping > > >>>>>the .htaccess file owned by the user for increased security. > > >>>>> > > >>>>>Josh Boughner > > >>>>> > > >>>>>On Fri, 3 May 2002, Mike Eheler wrote: > > >>>>> > > >>>>> > > >>>>> > > >>>>>>It's possible, but is it really recommended? Wouldn't the > > >>>>>>.htaccess/.htpasswd file have to be owned by the apache user, which > > >>>>>>might leave it open to being overwritten by any kind of a > > >>>>>>weak/exploitable script? > > >>>>>> > > >>>>>>Mike > > >>>>>> > > >>>>>>Josh & Valerie McCormack wrote: > > >>>>>> > > >>>>>> > > >>>>>>>I've used the script phtaccess, which I think used the mentioned class. > > >>>>>>>Super easy to use. > > >>>>>>> > > >>>>>>>Josh > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>>>On Wed, 1 May 2002, Kelly Meeks wrote: > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>>>>Is is possible to use php to admin a password file used by a > > >>>>>>>>>>.htaccess file? > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>> You should check the File_Passwd class from PEAR. > > >>>>>>>> > > >>>>>>>> http://chora.php.net/cvs.php/php4/pear/File > > >>>>>>>> > > >>>>>>>>-- > > >>>>>>>>Mika Tuupola http://www.appelsiini.net/~tuupola/ > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>> > > >>>>>>-- > > >>>>>>PHP General Mailing List (http://www.php.net/) > > >>>>>>To unsubscribe, visit: http://www.php.net/unsub.php > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>> > > >>>>-- > > >>>>PHP General Mailing List (http://www.php.net/) > > >>>>To unsubscribe, visit: http://www.php.net/unsub.php > > >>>> > > >>>> > > >>>> > > >>>> > > >> > > >> > > >>-- > > >>PHP General Mailing List (http://www.php.net/) > > >>To unsubscribe, visit: http://www.php.net/unsub.php > > >> > > >> > > >> > > > > > > > > > > > > > > > >
signature.asc
Description: This is a digitally signed message part