Re: [php-list] fileperms

Fri, 03 Mar 2006 11:59:05 -0800 

PHP scripts don't need to be executable to be run.  Lacking the execute bit is 
not protection at
all.

James


--- Bob <[EMAIL PROTECTED]> wrote:

> Instead of using is_writable(); I tried fileperms(); which seems to work ok.
> I'm only checking the Public Write bit of the file permissions.
> If you create a file somewhere and chmod it 666, it'll test it and display as 
> writeable.
> Should be safe, as it won't be executable.
> 
> <?php
> clearstatcache();
> 
> function checkFiles($dirname) {
>   $d = dir($dirname);
>   while ($filename = $d->read()) {
>     if ($filename != '.' && $filename != '..' && $filename != 'cgi-bin') {
>       if (is_dir($dirname.'/'.$filename)) {
>         checkFiles($dirname.'/'.$filename);
>       }
>       else {
>         $perms = fileperms($dirname.'/'.$filename);
>         $info = (($perms & 0x0002) ?
>           ' - <b style="color:red">WRITABLE</b>' :
>           ' - <b style="color:blue">SAFE</b>');
>         echo $dirname.'/'.$filename.$info."<br>\n";
>       }
>     }
>   }
>   $d->close();
> }
> 
> checkFiles('.');
> ?>
> 
> If anyone want's to try it:
> http://circlecity.co.uk/testarea/testfiles.txt
> as Yahoo will probably screw the above code up.
> 
> You could add the following if you don't want to check every file:
> substr($filename, -3) != 'jpg' &&
> substr($filename, -3) != 'gif' &&
> substr($filename, -3) != 'png' &&
> substr($filename, -3) != 'css' &&
> etc.
> 
> Hopefully, it will show up any files these clowns may try to attack.
> Don't forget to delete it from your server when you've tried it.
> Let me know if you can make any improvements.
> Bob.
> 
> 
> 
> 
> Community email addresses:
>   Post message: [email protected]
>   Subscribe:    [EMAIL PROTECTED]
>   Unsubscribe:  [EMAIL PROTECTED]
>   List owner:   [EMAIL PROTECTED]
> 
> Shortcut URL to this page:
>   http://groups.yahoo.com/group/php-list 
> Yahoo! Groups Links
> 
> 
> 
>  
> 
> 
> 



Community email addresses:
  Post message: [email protected]
  Subscribe:    [EMAIL PROTECTED]
  Unsubscribe:  [EMAIL PROTECTED]
  List owner:   [EMAIL PROTECTED]

Shortcut URL to this page:
  http://groups.yahoo.com/group/php-list 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/php-list/

<*> To unsubscribe from this group, send an email to:
    [EMAIL PROTECTED]

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/

Reply via email to