Re: [PHP] Need some help in "exec"-attack

Mon, 13 Jan 2003 05:21:51 -0800 

:( Yes I've realised that.

It seemed to me that is more efficient to make a copy of that files, rather
than a mysqldump.

but Yes, in order to access files of the mysql directory, I have to give to
the webserver all the rights, solution that I don't aproove, for security
reasons.





----- Original Message -----
From: "Jason Wong" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 13, 2003 3:08 PM
Subject: Re: [PHP] Need some help in "exec"-attack


> On Monday 13 January 2003 19:53, Alex Ciurea wrote:
> > Hi all,
> >
> > this is my situation:
> > I want to execute some comands using 'shell_exec':
> >
> > $command=shell_exec("ls -la /usr/dest_dir;cp -R /usr/source_dir/1.php
> > /usr/dest_dir;cd /usr/dest_dir;ls -la");
> > echo "<pre>$command</pre>";
> >
> > Actually, these commands:
> > 1)        ls -la /usr/dest_dir
> > 2)        cp -R /usr/source_dir/1.php /usr/dest_dir
> > 3)        cd /usr/dest_dir
> > 4)        ls -la
> >
> > This is what I get:
> >
> > total 8
> > drwxr-xr-x    2 mysql    mysql        4096 Jan 13 13:29 .
> > drwxr-xr-x   18 mysql    mysql        4096 Jan 13 12:25 ..
> > total 8
> > drwxr-xr-x    2 mysql    mysql        4096 Jan 13 13:29 .
> > drwxr-xr-x   18 mysql    mysql        4096 Jan 13 12:25 ..
> >
> > the first 3 lines, before the 'cp' command
> > the last 3 lines, after the 'cp' command.
> >
> > As you can see, no changes.
> >
> > I've looked in the logs of the apache webserver and i've found this
line:
> >
> > cp: cannot create regular file `/usr/dest_dir/1.php': Permission denied
> >
> > Note: source_dir and dest_dir are both owned by mysql
>
> Presumably you're trying to backup a mysql database. In a standard setup
the
> database files are only accessible to the 'mysql' user. Your webserver,
under
> normal circumstances, would not be able to access those files. Once you
get
> over this hurdle, the second problem is that your destination directory is
> not writeable by any user other than mysql.
>
> In short you're better off using mysqldump to backup your databases.
>
> --
> Jason Wong -> Gremlins Associates -> www.gremlins.biz
> Open Source Software Systems Integrators
> * Web Design & Hosting * Internet & Intranet Applications Development *
>
> /*
> "Consequences, Schmonsequences, as long as I'm rich."
> -- "Ali Baba Bunny" [1957, Chuck Jones]
> */
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to