FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » execute php in template
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: execute php in template [message #175778 is a reply to message #175777] Mon, 24 October 2011 01:37 Go to previous messageGo to previous message
Hans Olo is currently offline  Hans Olo
Messages: 7
Registered: October 2011
Karma:
Junior Member
On 10/23/2011 6:38 PM, Jerry Stuckle cried from the depths of the abyss:
>
>>> what if someone snuck into
>>> your code something like:
>>> system('rm -r /');
>>
>> How would someone be able to do that? From the "outside" there's no
>> access to do this, right?
>
> Are you sure? Sony thought so...
>

Keep in mind that the rm request can only delete files that have the
same permissions as the httpd user. This is why apache recommends
creating a bs account (httpd, acache, joeblow, etc.) to use to run the
httpd server. Almost all stock httpd configs use a bogus user (either
configged by a package, or a requirement if compililng from source), and
this wouldn't delete too much except www related files & perhaps some
config files.

/ will only get deleted if the httpd is being run as root
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Using PHP Tags in eval()
Next Topic: pear include path
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Nov 26 12:24:52 GMT 2024

Total time taken to generate the page: 0.04071 seconds