Re: php program can read /etc/passwd?

On 2007-03-22, C. <colin.mckinnon@xxxxxxxxx> wrote:

1) exposing /etc/passwd is not an issue if shadow passwords are used

Exposing /etc/passwd to the world *is* a security issue, as it gives
crackers account ids to attempt to crack, rather than making them guess
at both the id and password. If the users use strong passwords, this is
a relatively minor issue, but it still is one.

2) allowing PHP to read any file on the server is not an issue if the
system is dedicated (i.e. not shared)

Allowing PHP to read and publish any readable file on the server can
also be an issue, as it could expose potential weaknesses in the web
server by publishing the config file(s).

It may be that the system is insecure - there is no evidence here that
PHP is behaving in any way to undermine security.

The real problem is, why would anyone writing a PHP or other web process
that takes user input trust said user input? If the programmer wants to
limit access to a particular directory, say, then he should write the
program to do so, *not* rely on the language to do it for him.


(try just my userid to email me)
see X- headers for PGP signature information