Re: php program can read /etc/passwd?

On 2007-03-22, C. <colin.mckinnon@xxxxxxxxx> wrote:

1) exposing /etc/passwd is not an issue if shadow passwords are used

Exposing /etc/passwd to the world *is* a security issue, as it gives
crackers account ids to attempt to crack, rather than making them guess
at both the id and password. If the users use strong passwords, this is
a relatively minor issue, but it still is one.

2) allowing PHP to read any file on the server is not an issue if the
system is dedicated (i.e. not shared)

Allowing PHP to read and publish any readable file on the server can
also be an issue, as it could expose potential weaknesses in the web
server by publishing the config file(s).

It may be that the system is insecure - there is no evidence here that
PHP is behaving in any way to undermine security.

The real problem is, why would anyone writing a PHP or other web process
that takes user input trust said user input? If the programmer wants to
limit access to a particular directory, say, then he should write the
program to do so, *not* rely on the language to do it for him.


(try just my userid to email me)
see X- headers for PGP signature information


Relevant Pages

  • Re: php program can read /etc/passwd?
    ... If the users use strong passwords, ... That is a badly written php script. ... that takes user input trust said user input? ... If the programmer wants to ...
  • Re: Capturing Windows Login Name
    ... annoyance of typing their user names and passwords again. ... I am well aware of how it works because I implemented the SASL PHP ... that among other protocols supports NTLM. ... server in the last step, ...
  • Re: Question on password visibilty?
    ... > I have been learning PHP on my own time and have an Apache server on my ... Obviously security is not a problem on this setup. ... > Most use an HTML form that calls a separate php program. ... anybody can download the php script and look at the passwords. ...
  • script wrapper for smbpasswd?
    ... an administrative user, properly authenticated elsewhere can from a php generated form, submit a request to add users and passwords, or change passwords, from an apache2 web server. ... The man pages on smbpasswd are plain wrong: it no longer uses a password file - instead it is all munged up in a passwd.tdb format, so it seems that executing smbpasswd is the best approach: However when executed by the web server, - user www-data - it won't have sufficient permissions to utilize smbpasswd.. ... A script wrapper executed from the php with setuid set may be an approach.. ...
  • Re: [PHP] Preventing Access to Private Files
    ... You could use PHP to read the file and send the proper image format header. ... that's not available to the web server. ... members table to validate passwords. ... generation of "member" pages to members only. ...