Re: Very basic security question:

From: Diego Figueroa (dfiguero@cs.yorku.ca)
Date: 01/23/03

  • Next message: Brad Arlt: "Re: Very basic security question:"
    Date: Thu, 23 Jan 2003 14:16:02 -0500 (EST)
    From: Diego Figueroa <dfiguero@cs.yorku.ca>
    To: "Ing. Bernardo Lopez" <bloodk@prodigy.net.mx>
    
    

    How easy would it be in your script to do something like "userid=root"?
    Think about the possibility of someone injection code.

    Are you passing this information somewhere in the URL or in one of the
    "hidden" variables?

    IMHO messing with /etc/passwd and /etc/shadow from the web is a no-no.

    Diego.

    On Tue, 21 Jan 2003, Ing. Bernardo Lopez wrote:

    > How secure could be my webserver if i allow some php scripts to modify
    > the file (directly) /etc/passwd & /etc/shadow but my script will only
    > allow to modify the line of the loged user (like userid=visitor, then he
    > only can see/modify visitor's line)??
    >
    > It is secure, if i enforce very enougth the security of the script... or
    > this stills being a stupid option?
    >
    > Also if i use that script only for modify the permisions of ftp's users
    > it stills unsecure? (if the ftpd runs whit a very unpriviligiated uid?)
    >
    > Thanks in advance
    >



    Relevant Pages

    • Re: Modifying a record field value while not blocking it to others
      ... And of course again the record you are trying to modify has not to be 'open' ... someone opens that ID=12 record everything in it is locked. ... often add a script line which opens a random record if the file holds enough ... system where customers use Credits when renting items and get Credits ...
      (comp.databases.filemaker)
    • Re: modifying objects in ADAM ADSIEDIT
      ... which is the NetBIOS name I referred to. ... ' Prompt for NetBIOS name of object in AD. ... ' Prompt for the attribute to modify. ... How do I script this by just modifying ...
      (microsoft.public.windows.server.scripting)
    • Re: Very basic security question:
      ... I was looking at an Apache module design to prevent ... >> How secure could be my webserver if i allow some php scripts to modify ... if i enforce very enougth the security of the script... ... >> it stills unsecure? ...
      (Security-Basics)
    • Re: sus office updates
      ... You can modify the registry ... or you can script a change for MSI to add ... my "encrypted" product code for Office 2003 Professional is: ...
      (microsoft.public.sms.tools)
    • Re: Modifying a record field value while not blocking it to others
      ... And of course again the record you are trying to modify has not to be ... someone opens that ID=12 record everything in it is locked. ... often add a script line which opens a random record if the file holds ... system where customers use Credits when renting items and get Credits ...
      (comp.databases.filemaker)