[Dshield] Another web server attack

Brian Dessent brian at dessent.net
Thu Nov 17 23:15:06 GMT 2005


ed.truitt at etee2k.net wrote:

> The moral of this story:  don't trust file permissions on software packages --
> web application code should not be writable by anyone other than the owner
> (which shouldn't be the same user account that the web server process runs
> under.)

And yet, how many times have you read an installation guide for some PHP
script (written by someone with no clue) that just says "if you get an
error chmod everything to 777".  Or how many times have you seen someone
say to do that on forums / chat / IM / whatever.  "Hey I can't get this
script working, and I can't be bothered to understand unix... so I'll
just set everything to 777".  It's really sad when people resort to that
kind of logic.

Brian


More information about the list mailing list