php-install Digest 9 Oct 2002 07:08:13 -0000 Issue 1061
Topics (messages 8723 through 8731):
Re: Malicious code allows people to browse thru /
8723 by: Steve Cayford
8724 by: Jeffrey_N_Dyke.Keane.com
8726 by: Chris Hewitt
quota interface in PHP?
8725 by: Sven Meiborg S�rensen
OpenBSD install issue
8727 by: Sean M Lentner
php4isapi.dll installation problem
8728 by: E. Kwong
RedHat 8.0 cannot load MySQL extension
8729 by: John Thorne
thread dies when opening a php page
8730 by: John Coder
Archives ?
8731 by: Christophe Beyer
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
...and?
It's a programming language. If you want to program a file browser into
your website why should PHP try to stop you?
-Steve
On Tuesday, October 8, 2002, at 12:31 PM, Thiago Vinhas wrote:
>
> Hi. I found something that is really dangerous. I hope there is a
> configuration variable on php.ini that denies what this script do, but
> if not, PHP Developers must find a way to stop this. THe following code
> allows someone to browse the entire directory three of a server.
--- End Message ---
--- Begin Message ---
very true, this can be a useful tool for a developer, but giving access via
a browser would be crazy. the developer needs to control this, not the
language. I run code that uses the dir class to synch servers, very
useful. but it is not available for the user to access. this should be
restricted at the server level.
or am i not understanding your comment?
Thiago Vinhas
<thiago@simpleweb To: [EMAIL PROTECTED]
.com.br> cc:
Subject: [PHP-INST] Malicious code
allows people to browse thru /
10/08/2002 02:01
PM
Hi. I found something that is really dangerous. I hope there is a
configuration variable on php.ini that denies what this script do, but
if not, PHP Developers must find a way to stop this. THe following code
allows someone to browse the entire directory three of a server.
Here is the code:
<?
$url="1.php";
if(!isset($file) && !isset($dir))$dir="/";
if(isset($dir)){
diretorio($dir);
}
if(isset($file)){
arquivo($file);
}
function diretorio($dir){
global $url;
echo "<b>$dir</b><br>";
$files=array();
$i=0;
$handle = @opendir($dir);
while ($file = @readdir($handle)) {
$files[$i++]=$file;
}
@closedir($handle);
for($refer=0;$refer < count($files);$refer++)
{
if(@is_dir("$dir/$files[$refer]")){
if($files[$refer] == ".."){
echo "<a
href=\"Javascript:history.back()\">[dir]...<b>$files[$refer]</b></a><br>";
}
else{
echo "<a
href=\"$url?dir=$dir/$files[$refer]\">[dir] <b>$files[$refer]</
b></a><br>";
}
}
else{
echo "<a
href=\"$url?file=$dir/$files[$refer]\">
; $files[$refer]</a><br>";
}
}
}
function arquivo($file){
echo "<a href=\"Javascript:history.back()\"><b>Voltar <<</b></a><br>";
$logfile = fopen ( "$file", "r");
$text = fread($logfile,filesize($file));
$text= ereg_replace("\n", "<br>", $text);
echo "$text";
}
?>
--
PHP Install Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Thiago Vinhas wrote:
>if not, PHP Developers must find a way to stop this. THe following code
>allows someone to browse the entire directory three of a server.
>
You (or someone on your shared server, if you share it) would have to
put this code onto it in order for it to happen. Yes there are settings
in php.ini to help prevent this sort of thing.
HTH
Chris
--- End Message ---
--- Begin Message ---
I would like to access the quota part of the file system under RH 7.3 Linux
from PHP so that I can use PHP from Shell as root to perform what I now must
use edquota to do. The job at hand is to administer file system quotas for
several hundred users whose file quotas are maintained in a PHP/MySQL
system.
When searching for quota tools I found a Perl quota module but nothing
useful for PHP.
Has any of you written or heard about a PHP extension giving an interface to
the quota system?
Best regards,
Sven M. Sorensen
University of Southern Denmark
--- End Message ---
--- Begin Message ---
Hi I am having issues getting this to work I know I am doing something wrong I
just do not know what:
I installed using these instructions:
$ cd /usr/ports/www/php4
$ make show VARNAME=FLAVORS
(choose which flavors you want from the list)
$ env FLAVOR="imap gettext ldap mysql gd" make install
$ /usr/local/sbin/php4-enable
I made the changes to my httpd.conf and php.ini as listed after the install,
but I still do not find php on my machine anywhere.
find / -name php <-- finds lots of PHP stuff but not /usr/local/lib/php
just a bunch of stuff under /usr/ports
Help this is driving me nuts :(
--- End Message ---
--- Begin Message ---
One of our user needs to use a web application written in PHP by an
outside organization. After we manual installed PHP in a Windows 2000
server with IIS5, the web server became very unstable. It went up and
down with www, ftp, and smtp stopping. I was suspicious of the PHP
ISAPI filter and took it out. After the filter was taken out, the web
server became stable again. But today when I tried to access the test
page (basically contains only phpinfo()) , it doesn�t come up anymore.
My questions are:
1) Do I have to go to the ISAPI Filter tab in IIS to put the PHP filter
back? The App Mappings is still there and is mapped to
php\sapi\php4isapi.dll.
2) Why did the PHP ISAPI caused the stopping of web services? Did I
mis-configure something?
I can't afford to have the W2K server go up and down again since it's
our production server hosting our organization's web site.
I�m really at a loss now so any help is greatly appreciated.
--- End Message ---
--- Begin Message ---
Apache 2.0.40 / php 4.2.2 / mySQL 3.23.52
Getting the following error trying to open
phpmysqladmin:
cannot load MySQL extension,
please check PHP Configuration
I can display phpinfo
and mysql is listed under dbx suppoeted databases
What am i missing ??
Can someone point me to a setup howto
thanks
jrt
--- End Message ---
--- Begin Message ---
I'm trying to install gd2.0.1 on a suse8.0 with php4.2.3 apache 1.3.26.
I've recompiled everything no error messageseither on compile or make.
when I open a php page on the browser I lose connection to the server.
that is that thread dies. The apaches server itself is still running but
the child dies but the parent regenerates another process/thread. I've
been ablr to install php and apache on three other machines but this one
will not take. any ideas?
John Coder
--- End Message ---
--- Begin Message ---
Hello,
I'd like to know if the archives of this list are available ?
Thanks
--- End Message ---
