[thelist] DJC -- Major Security Hole in Evolt.org? (Take II) My Apologies

Daniel J. Cody djc at members.evolt.org
Thu Dec 6 10:01:14 CST 2001


FWIW (as i cleaned the coffee from my monitor which was sprayed forth 
from my mouth when i read 'major security hole in evolt.org' as the 
subject for a couple emails ;)

The amount of access you have is less dangerous than having SSH to the 
box, since you have less permissions as nobody than you would as a 
regular user.. Thats not to say I really care for people traversing the 
filesystem through php - or perl for that matter. I used to have the PHP 
shell stuff turned off, but a couple people said they really wanted to 
use it and no where else could they go to play with it....so i turned it 
on. If people have information on their members.evolt.org that other 
shouldn't be seeing: 1.) it probably shouldn't be there in the first 
place 2.) they need to take actions so their files aren't world viewable 
3.) they should encrypt them

If you have any other concerns, ask away..

.djc.

Burhan Khalid wrote:

> Security Hole Scare (Take II - My Apologies)
> 
> Upon a recheck (and a calming walk to the fridge) -- looking upon the 
> same situation, I find that thankfully I am "nobody" -- hence have 
> piddly rights, but on the script that I was using (MyShell), it has 
> provisions to ban certain commands from being used (say shutdown, kill, 
> xterm, etc.). I don't imagine it would be too hard for someone with a 
> little more knowledge than I to figure out how to get around this 
> limitation. I mean, geez, just the thought of having remote access to 
> the shell from a web browser scares me. SSH I can live with. Heck, I 
> used telnet to check my email, but it seems too easy that someone with 
> just enough knowledge can write a script to do such things.
> 
> The MyShell script itself it but a page long. Thanks a bunch Anthony for 
> the heads up. I probably would have freaked more if I hadn't realized my 
> lapse in judgement.






More information about the thelist mailing list