I was wondering if the shell scripts if uploaded to your public directory can view directories beyond the public domain? I'm re-do'n the security on my site a bit and was just wondering because if it can't then I can move all my included type files outside the public domain.
Shell scripts can normally see all directories in and out of your webspace.
They should be secured carefully, as they can be very destructive.
rr1024 wrote:I was wondering if the shell scripts if uploaded to your public directory can view directories beyond the public domain?
I was wondering if the shell scripts if uploaded to your public directory can view directories beyond the public domain?
They can see all (and only) directories that have permissions such that the user who executes the PHP script has at least read privileges.
well I don't want to use a shell script but Ive been hacked before and trying to think of other ways to protect the site
rr1024 wrote:other ways to protect the site
other ways to protect the site
Don't use shared hosting.
Go through every single PHP script that works with file uploads... make sure there is a rock-solid mechanism in place that ensures the proper files (extension, data, etc.) are uploaded - and ONLY those files.
Go through every single PHP script that has a variable include()/require() (e.g. ?page=foobar is later used to include() foobar.php) and make sure there is a rock-solid mechanism in place that ensures only the files you want the be included, can be.
Go through every single PHP script that inserts data into any DB's you are using and make sure there is a rock-solid mechanism (e.g. [man]mysql_real_escape_string/man) in place that ensures only valid data is entered (make sure you scan ever piece of data that the user had the opportunity to tamper with - this includes some indeces of $_SERVER superglobal, believe it or not).
Rinse. Lather. Repeat. (Do it all a second time to make sure you didn't miss anything! :p)
Keep common scripts for forums, blogs etc uptodate with any patches published.
