insecure php

[Shao Feng-Li]

what's a insecure php file?

[andyroo]

http://www.php.net/manual/en/security.php

I now see where Lorentz got that linkest link thing from. I'm pretty shure this is the PHP manual he's talking about.

[Straylight]

An insecure php file typically allows an attacker to run their own php code on your server. PHP will give you access to the server's filesystem, allowing you to do some really unpleasant things.

[Mave]

ack, I tried to read and understand the link provided. 0.o I'm assuming that members like me, can't do anything to help, right?

[shooraijin]

An insecure php file typically allows an attacker to run their own php code on your server. PHP will give you access to the server's filesystem, allowing you to do some really unpleasant things.

Which is of course true of any program a web server runs if the programmer is stupid and doesn't treat user data with the proper modicum of paranoia. Perl has some nasty ones in filehandling that you have to "un-taint" first (hence the entire Perl tainting mechanism to force you to treat user data as if it were dirty).

[Mithrandir]

Have you spoken with Larry about 6 yet? I'm wondering if the "dirty user" stigmata will remain.

Incidentally, (plugs for shooby) does httpi allow you to run multiple "instances" of the server - for example to do virtual hosting, where each instance can run as a different user? That would make something like this virutally impossible...

[shooraijin]

The New Security Model in HTTPi/1.4 automatically changes user to the owner of any document it serves, even if the document is static. (Previously it only changed UID on executable files.) As a nice side effect, this prevents root-owned documents from running, and you can further proscribe UIDs from serving documents (so no one can symlink /bin/tcsh somewhere and allow people run it as bin:bin).

If this isn't enough, HTTPi could always have been run in separately configured server instances with each running as an independent UID. This only works for multi-homed hosting, though; HTTP Host-based virtual hosting needs to run in one large process (for obvious reasons).

http://httpi.floodgap.com/

shameless plug wa, arigatoo

[LorentzForce]

andyroo got it right! dum dum dum!

i might be able to help, but i won't, just so i don't interfere too much...

btw, i was unable to log in due to mozilla unable to redirect me in the first page. well, at least IE works here.

[Mithrandir]

*shudder*

you know, seeing this look&feel and noticing what does/doesn't work makes me really respect Noz's talent/hard work here.

[LorentzForce]

copy/pasted proper redirected address from IE so i can use it on firebird. yes, i ditched IE i'm still getting used to tab browsing though... often see myself closing the entire browser, and i go 'NOOOOOOOOO' then oh well, and open it again.

Noz is good at programming really.

[madphilb]

I was getting a blank screen.... I don't know if it really helped or if I just hit something right, but by SHIFT-clicking on the "REFRESH" icon it reloaded that page and I got "Redirecting" at the top of the screen (and the updated forums shortly after that).

If I remember correctly (and it still applies) SHIFT-clicking on the Refresh would force Mozilla (which was birthed out of Netscape where I think I remember this from) to reload the page.

Again, i could just be blowing smoke out by butt too.... I dunno, but it seemed to work.... wondering if anyone else has/will try it and verify (my hotlink to CAA is to the root of the domain name).

[Mithrandir]

That is possible. We recently set the system to redirect, but if your machine had the page cached (and it wasn't doing things right) it's possible it solved the problem by forcing the reload.