[thelist] Able to get to other users on server folders
Daniel J. Cody
djc at starkmedia.com
Wed May 16 21:31:49 CDT 2001
Speaking from a personal standpoint, why would you put up with such a
thing? Even if its not personal, the fact that you can peruse other
peoples files through an FTP client is pretty sick.
Speaking from a security standpoint, its pretty uncomforting to know
that people may have access to a file that *isnt* in your web root but
that may have sensitive information like database connection strings. On
older(Unix) systems, if you can read /etc/passwd system security just
went down the shitter.. If you can read /opt/coldfusion/registry for
example, you can grab the system password for CF, run that through some
cracking programs, and have access to the administrative controls of
that CF server(a very small example)
Speaking from a system administrator standpoint, its very unacceptable
to allow people to browse up the directory tree. Every decent FTP server
for unix has an option to 'chroot' a user to their particular directory,
not allowing them to browse the dir tree. Giving shell access is a
different story alltogether..
Again, if you've got a config.php script that has your MySQL password,
username and DB name in it thats readable by other people that just want
to wander around the filesystem through a FTP client, I'd be out of
there in no time flat.. If the disk space is *writeable* the person(s)
that are running the server have no right running it, period. A shared
enviornment doesn't have to equal shitty privacy and security.
.djc.
Darrell King wrote:
> Speaking technically and not from a security standpoint: why not?
> If you're in a shared environment, and their disk space is world-readable,
> why wouldn't you be able to see it? If the space is writable (and most
> virtual server directories are)....\
More information about the thelist
mailing list