[thelist] Able to get to other users on server folders

Daniel J. Cody djc at starkmedia.com
Wed May 16 21:31:49 CDT 2001


Speaking from a personal standpoint, why would you put up with such a 
thing? Even if its not personal, the fact that you can peruse other 
peoples files through an FTP client is pretty sick.

Speaking from a security standpoint, its pretty uncomforting to know 
that people may have access to a file that *isnt* in your web root but 
that may have sensitive information like database connection strings. On 
older(Unix) systems, if you can read /etc/passwd system security just 
went down the shitter.. If you can read /opt/coldfusion/registry for 
example, you can grab the system password for CF, run that through some 
cracking programs, and have access to the administrative controls of 
that CF server(a very small example)

Speaking from a system administrator standpoint, its very unacceptable 
to allow people to browse up the directory tree. Every decent FTP server 
for unix has an option to 'chroot' a user to their particular directory, 
not allowing them to browse the dir tree. Giving shell access is a 
different story alltogether..

Again, if you've got a config.php script that has your MySQL password, 
username and DB name in it thats readable by other people that just want 
to wander around the filesystem through a FTP client, I'd be out of 
there in no time flat.. If the disk space is *writeable* the person(s) 
that are running the server have no right running it, period. A shared 
enviornment doesn't have to equal shitty privacy and security.

.djc.

Darrell King wrote:

> Speaking technically and not from a security standpoint:  why not?  

> If you're in a shared environment, and their disk space is world-readable, 

> why wouldn't you be able to see it?  If the space is writable (and most 

> virtual server directories are)....\





More information about the thelist mailing list