> It seems to me that ftp_get() is a potential security hole, or maybe we've
> just got it misconfigured on our system. When a script calls ftp_get() and
> transfers a file, the new file on the local system (e.g. the box running php)
> is owned by the webserver. Now this would make sense if the client to the
> php script were doing an HTTP upload, but shouldn't an FTP transfer be
> created as the user of the script?
How do you propose that the web server user create a file as some other
user? Can't be done.
> We're running PHP 4.0.4pl1 in "safe mode" under Apache 1.3.9. Apache is
> running as www/www and the script is run as John Q. User.
>
> If this can be used to create arbitrary files as the webserver, it seems like
> any legitimate user can create malicious scripts, ftp_get() them so that they
> are owned by the webserver user, then run them just by surfing to the new
> file. Even with safe mode and "php_admin_value docroot" set, it seems like
> there'd be a variety of "attacks" a user could do, if s/he were so inclined.
>
> I'm not a hacker (so looking at php's source wouldn't help me), but I'm a
> concerned sysadmin who's suddenly very scared of the --with-ftp configure
> directive.
There may be a check missing in the ftp extension (haven't checked). It
should only be able to write new files in directories owned by John Q.
User in safe mode.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
