LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   users accessing directories,files using php scripts (https://www.linuxquestions.org/questions/linux-security-4/users-accessing-directories-files-using-php-scripts-628011/)

ckob 03-14-2008 07:18 AM
users accessing directories,files using php scripts
 
If a user on my server runs the following script it will show the passwd file but not the shadow file and if you change the commands to pretty much anything (ls, ls -la, rm -rf *) and it will execute the command. What do I need to change to take these permissions off the users using php or atleast off of php.

Script Example:
PHP Code:
<html>
<head>
  <title>testing what php has access to</title>
</head>
<body>
This will show /etc/passwd:<br />
<pre>
<?
system("cat /etc/passwd");
?>
</pre>
<br />
done showing /etc/passwd
<hr /><br />
This will show /etc/shadow:<br />
<pre>
<?
system("cat /etc/shadow");
?>
</pre>
<hr /><br />
done showing /etc/shadow.
</html>

ckob 03-14-2008 07:23 AM
also im running Redhat Enterprise server 5.1 and this issue has gone on for almost a week still waiting for Redhat to come up with a resolution as well.

win32sux 03-14-2008 07:40 AM
Stick a line like this in your php.ini:
Code:
disable_functions = system
BTW, there's probably several other functions you'll also want to disable.

ckob 03-14-2008 08:06 AM
thanks thats it !

redhat support is still trying to figure this one out :(


All times are GMT -5. The time now is 01:26 PM.