Re: Very basic security question:
From: Diego Figueroa (dfiguero@cs.yorku.ca)
Date: 01/23/03
- Previous message: Tony Toni: "Contractor Rates."
- In reply to: Ing. Bernardo Lopez: "Very basic security question:"
- Next in thread: Timothy M. Crider: "Re: Very basic security question:"
- Reply: Timothy M. Crider: "Re: Very basic security question:"
- Reply: Ing. Bernardo Lopez: "Re: Very basic security question:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Jan 2003 14:16:02 -0500 (EST) From: Diego Figueroa <dfiguero@cs.yorku.ca> To: "Ing. Bernardo Lopez" <bloodk@prodigy.net.mx>
How easy would it be in your script to do something like "userid=root"?
Think about the possibility of someone injection code.
Are you passing this information somewhere in the URL or in one of the
"hidden" variables?
IMHO messing with /etc/passwd and /etc/shadow from the web is a no-no.
Diego.
On Tue, 21 Jan 2003, Ing. Bernardo Lopez wrote:
> How secure could be my webserver if i allow some php scripts to modify
> the file (directly) /etc/passwd & /etc/shadow but my script will only
> allow to modify the line of the loged user (like userid=visitor, then he
> only can see/modify visitor's line)??
>
> It is secure, if i enforce very enougth the security of the script... or
> this stills being a stupid option?
>
> Also if i use that script only for modify the permisions of ftp's users
> it stills unsecure? (if the ftpd runs whit a very unpriviligiated uid?)
>
> Thanks in advance
>
- Next message: Brad Arlt: "Re: Very basic security question:"
- Previous message: Tony Toni: "Contractor Rates."
- In reply to: Ing. Bernardo Lopez: "Very basic security question:"
- Next in thread: Timothy M. Crider: "Re: Very basic security question:"
- Reply: Timothy M. Crider: "Re: Very basic security question:"
- Reply: Ing. Bernardo Lopez: "Re: Very basic security question:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
