PHP Security

Ph0eniX

How dangerous are you to your ISP if you can run PHP and have ftp access? I mean you could upload pretty harmful scripts and hurt the server if you really wanted to. No? You could, for example, run these accordingly and if the PHP account has enough privilege they will stop the web server.

Unix:

 exec('/usr/local/apache/bin/apachectl stop');

Windows:

 exec('net stop w3svc');

...or you could get a little fancier than that and give yourself Admin privileges by:

  exec('net localgroup "Administrators" username /add');

[deleted]

Well, if a hosting company runs their webserver (the user under which these scripts would execute) with a user with the priviledges to do this, then they aren't much of a hosting company and I would suggest you move your account elsewhere 🙂

Ph0eniX

Originally posted by mattwade
Well, if a hosting company runs their webserver (the user under which these scripts would execute) with a user with the priviledges to do this, then they aren't much of a hosting company and I would suggest you move your account elsewhere 🙂

I guess there goes my ISP. I just admin'ed myself on their domain controller and now I have full access to the entire net through the terminal server.

[deleted]

If I were you, I would be very cautious. Some ISPs have been known to prosecute people for doing very similar things, even though it is a lack of their security.

Ph0eniX

Originally posted by mattwade
If I were you, I would be very cautious. Some ISPs have been known to prosecute people for doing very similar things, even though it is a lack of their security.

The thing is I told them about it and they gave me some utter BS saying that they've only lowered the security in the past 2days because they were tweaking the server for us eyeroll.