Security Basics mailing list archives

Re: Very basic security question:

From: Diego Figueroa <dfiguero () cs yorku ca>
Date: Thu, 23 Jan 2003 14:16:02 -0500 (EST)

How easy would it be in your script to do something like "userid=root"?
Think about the possibility of someone injection code.

Are you passing this information somewhere in the URL or in one of the
"hidden" variables?

IMHO messing with /etc/passwd and /etc/shadow from the web is a no-no.


Diego.

On Tue, 21 Jan 2003, Ing. Bernardo Lopez wrote:

How secure could be my webserver if i allow some php scripts to modify
the file (directly) /etc/passwd & /etc/shadow but my script will only
allow to modify the line of the loged user (like userid=visitor, then he
only can see/modify visitor's line)??

It is secure, if i enforce very enougth the security of the script... or
this stills being a stupid option?

Also if i use that script only for modify the permisions of ftp's users
it stills unsecure? (if the ftpd runs whit a very unpriviligiated uid?)

Thanks in advance

Current thread:

Re[2]: Internet Cafe, (continued)
- - Re[2]: Internet Cafe Malte von dem Hagen (Jan 21)
  - Re: Internet Cafe Igor D. Spivak (Jan 21)
- RE: Internet Cafe Stephen A. Santos (Jan 17)
- RE: Internet Cafe DeNoyer, Rick (Jan 17)
- RE: Internet Cafe Ogden, Earl (Jan 17)
- RE: Internet Cafe Paul Baugher (Jan 17)
- RE: Internet Cafe squid (Jan 19)
- RE: Internet Cafe Terry Peterson (Jan 19)
- RE: Internet Cafe Gunn, Jeff (Jan 21)
  - Very basic security question: Ing. Bernardo Lopez (Jan 23)
    - Re: Very basic security question: Diego Figueroa (Jan 24)
    - Re: Very basic security question: Brad Arlt (Jan 24)
    - Message not available
    - Re: Very basic security question: Brad Arlt (Jan 27)
- RE: Internet Cafe Nick Besant (Jan 21)
- RE: Internet Cafe Will Munkara-Kerr (Jan 21)
- Re: Internet Cafe Ricardo Castanho de Oliveira Freitas (Jan 23)
- RE: Re[2]: Internet Cafe Paul Stewart (Jan 23)