On Tue, 11 Feb 2003, Christopher Ditty wrote:
> Chris, Did you read the rest of the message? It sounds like the web
Yes, I read your entire message.
> host is saying that
> someone can access PHP FTP from an outside server and hack into the
> server.
That's precisely NOT what the hosting provider said (at least it's not
what my appreciation for running a secured web host led me to believe they
said). I don't expect you to be a security expert, but think with me
through a very common scenario sysadmins must account for. I'll use the
word "you" in a general sense:
You access an FTP server with a user name and a password to retrieve a
file via PHP FTP. The user name and password is the same that grants
you access to your hosting providers server. (People do this
v.frequently. Most people have trouble remembering one
username/password, so they make the dangerous choice to use one
username/password over and over again.) A malicious individual sniffs
your username and password while you transfer a file via FTP from to you
hosting provider. Once the individual has his way with your FTP site
using your credentials, (s)he does the obvious next step ... attempts to
use the same credentials to gain access to your hosting providers
server.
Make sense? That didn't take much time, effort, or thought to get the
hosting provider compromised. And note that it had nothing to do with
PHP. It has everything to do with FTP itself.
Like I said, originally, you and/or your customer might take precautions
against something like this, but there's no way a responsible sysadmin can
assume or be assured that every user on a system will do the same.
The hosting provider isn't trying to protect itself from malicious people
attacking some vulnerability in PHP's FTP extensions. The webhost is
trying to protect itself from it's own users who might code somthing using
an insecure protocol which might allow malicious people easily gain access
credentials to its servers, or othewise allow abuse of a server's
resources. PHP's FTP extenstions aren't a security risk. The security
risk is what users can do with FTP.
At the /risk/ of introducing more reasons for the webhost to disallow the
FTP extensions, forward them this thread and ask if these are indeed
their reasons.
> I am not trying to start a debate on whether or not people should send
> passwords and userids over plain text. Yes, that is a security risk.
> My concern is that this webhost is telling my customer that PHP FTP
> itself is a security risk when it does nothing more than act like
> ws-ftp.
Ws-ftp uses plain-text authentication. The FTP extension to PHP uses
plain-text authentication. (Neither has a choice, since FTP is a
plain-text protocol.) They both present security risks for the same
reason.
~Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
