[thelist] DJC -- Major Security Hole in Evolt.org? (Take II) My Apologies
Daniel J. Cody
djc at members.evolt.org
Thu Dec 6 10:01:14 CST 2001
FWIW (as i cleaned the coffee from my monitor which was sprayed forth
from my mouth when i read 'major security hole in evolt.org' as the
subject for a couple emails ;)
The amount of access you have is less dangerous than having SSH to the
box, since you have less permissions as nobody than you would as a
regular user.. Thats not to say I really care for people traversing the
filesystem through php - or perl for that matter. I used to have the PHP
shell stuff turned off, but a couple people said they really wanted to
use it and no where else could they go to play with it....so i turned it
on. If people have information on their members.evolt.org that other
shouldn't be seeing: 1.) it probably shouldn't be there in the first
place 2.) they need to take actions so their files aren't world viewable
3.) they should encrypt them
If you have any other concerns, ask away..
.djc.
Burhan Khalid wrote:
> Security Hole Scare (Take II - My Apologies)
>
> Upon a recheck (and a calming walk to the fridge) -- looking upon the
> same situation, I find that thankfully I am "nobody" -- hence have
> piddly rights, but on the script that I was using (MyShell), it has
> provisions to ban certain commands from being used (say shutdown, kill,
> xterm, etc.). I don't imagine it would be too hard for someone with a
> little more knowledge than I to figure out how to get around this
> limitation. I mean, geez, just the thought of having remote access to
> the shell from a web browser scares me. SSH I can live with. Heck, I
> used telnet to check my email, but it seems too easy that someone with
> just enough knowledge can write a script to do such things.
>
> The MyShell script itself it but a page long. Thanks a bunch Anthony for
> the heads up. I probably would have freaked more if I hadn't realized my
> lapse in judgement.
More information about the thelist
mailing list