Feature Requests item #1518713, was opened at 2006-07-07 14:56 Message generated for change (Comment added) made by hoerj You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1518713&group_id=156638
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements Group: None >Status: Open Priority: 5 Submitted By: Jürgen Hörmann (hoerj) >Assigned to: Nobody/Anonymous (nobody) Summary: Merge all Files into one Initial Comment: Because this program opposes the webserver to a highly increased risk of being hacked i suggest not to leave the script on the server. To make it more usable to upload, use and delete the script it would be good if all files and config could be merged into one solid php file. ---------------------------------------------------------------------- >Comment By: Jürgen Hörmann (hoerj) Date: 2006-07-08 02:54 Message: Logged In: YES user_id=1551592 renaming the file does not help you anything. A very common attack is to use a script that does not check user input properly to include external files. this can easyly be checked if you drop input that contains the resource part of a URI like "http://". But as soon as the script is on the same server this will not help anything anymore. Most scripts will allow to include local files like "../../phpshell/phpshell.php" or .txt, it makes no difference what the fileextension is. If the content is valid php code it will be executed if included. Every attacker will try to get some access to the shell. phpshell is a perfect tool for that and many evil guys can use google to find this script on servers. I do not know how safe the built in authentification is, but .htaccess is of no use if you include the file from any other script. ---------------------------------------------------------------------- Comment By: Martin Geisler (mgeisler) Date: 2006-07-08 02:01 Message: Logged In: YES user_id=1264592 Yeah, I tend to agree with Tobias. Protecting the script with the builtin user management and/or a .htaccess file should be sufficient. If that isn't enough, then rename phpshell.php to phpshell.txt when you want to disable PHP Shell. That *must* be enough -- otherwise you have to ask yourself what kind of attack you anticipate. My point is that if people can still use PHP Shell after you've turned it into a text file, then people could most probably also break your system without PHP Shell being there in the first place. Deleting the phpshell.php file temporary and uploading it when needed could also work. The other support files should be quite harmless. I hope that makes sense -- I'll mark this feature request as "pending", meaning that it will be automatically closed in 14 days unless you repond to it. ---------------------------------------------------------------------- Comment By: Jürgen Hörmann (hoerj) Date: 2006-07-08 01:27 Message: Logged In: YES user_id=1551592 I can not agree. The effort to upload and delete the script is nothing compared to the security risk of this software. You should not deny the probability that there will always be other php scripts that have vulnerabilities. Those scripts might be exploited to include other files on the server. That way you can easyly bypass the .htaccess protection. That this scenario is not only a fiction is shown on your comment list on your "old" webpage. IMHO this script is mainly useful for installation and service tasks, jobs you only do from time to time. So the effort of uploading is negligible to me. The problem with the readability of the code coul be solved by making a development version that consists of multiple files that are only merged for the release version. It would be possible to make a setup routine that merges all files, too. ---------------------------------------------------------------------- Comment By: Tobias Unger (tobiasunger) Date: 2006-07-07 17:01 Message: Logged In: YES user_id=1432671 Hi, of course, software like this is also a safety risk, but I think this idea is very time-consuming. I think it is easyer and nearly as save as your idea to put the software into a directory protected by .htaccess (for a access control). Putting al the software in just one file would make this file less easy to understand. Tobias Unger (tobias-unger.de) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=800590&aid=1518713&group_id=156638 Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ phpshell-devel mailing list phpshell-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpshell-devel