Can anybody communicate with the operating system without the phpserver?

**Mason Barge** · Feb 28 '08, 03:15 PM

Re: Can anybody communicate with the operating system without the php server?

"Fro" <showandbeshown @gmail.comwrote in message
news:c0cafc32-d170-4ff5-a48e-b751d514e47f@u6 9g2000hse.googl egroups.com...

Hi,
>
I have a php-script which writes uploaded files into a directory. My
php-script gives a specific names to the saved files. I found in the
directory a file which has a name which could not be given by the php-
script. Could it be that somebody (which is not a user of the
operating system) communicate with the operating system (creates
files) without the usage of my php-script? Or it is impossible and I
have to search for a mistake in my script?
>
Thank you!

Sure, they could hack your server, either just your personal account data or
else the entire server. But it's 100 or 1000 times more likely that they
breached security through a file upload, if you use a reputable third-party
host.

**Fro** · Feb 28 '08, 11:15 PM

Re: Can anybody communicate with the operating system without the phpserver?

>

Sure, they could hack your server, either just your personal account data or
else the entire server.

You say that they can hack:
1. My server.
2. My personal account data.
3. The entire server.
What do you understand under "personal account data"? The operating
system?

To remove "ambiguity" I should say that I do not have "my personal
server". I use a hosting which gives a php-server which has many
users.

But it's 100 or 1000 times more likely that they
breached security through a file upload, if you use a reputable third-party
host.

It is 100 or 1000 times more likely than what?

**Jerry Stuckle** · Feb 29 '08, 01:45 AM

Re: Can anybody communicate with the operating system without thephp server?

Fro wrote:

>Sure, they could hack your server, either just your personal account data or
>else the entire server.

You say that they can hack:
1. My server.
2. My personal account data.
3. The entire server.
What do you understand under "personal account data"? The operating
system?
>
To remove "ambiguity" I should say that I do not have "my personal
server". I use a hosting which gives a php-server which has many
users.
>

>But it's 100 or 1000 times more likely that they
>breached security through a file upload, if you use a reputable third-party
>host.

It is 100 or 1000 times more likely than what?
>

I agree with Mason - it's much more likely your upload script has holes
in it than someone hacked your server.

Since you're using a shared host, it's remotely possible that they came
in through another site on the same host. But that's unlikely, unless
your hosting company has no idea what they're doing and other sites on
the host are either hacker sites or don't know what they're doing. But
any reputable host will prevent that from happening.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Fro** · Mar 4 '08, 03:45 PM

Re: Can anybody communicate with the operating system without the phpserver?

Why do you continue to believe that "there is a 99% chance the problem

is in my code"? I put some argumentation against this believe. Why do
you just ignore it? Is their a mistake in my reasoning? If yes, just
show me it.

>
Because that's a fact.

:) I can prove my fact and you cannot prove your fact (which seems to
be a matter of believe). My prove is that php-script writs to the
directory as "nobody" (no matter whose script is that, mine or not).
Since I made the directory writable for "nobody", any script can write
to my directory (even if it is not mine). So, what is your
argumentation?

**Fro** · Mar 4 '08, 05:15 PM

Re: Can anybody communicate with the operating system without the phpserver?

I guess so.

>
I think he needs to find a new line of work. Web development certainly
is not for him!
>

I have proved that you are wrong! Could you find a mistake in my
prove? Gould you give me at least ONE counterargument (I ask for that
already the third time!!!). Or the only think you can do is to offend
an opponent and refer to your irrational belief?

**Fro** · Mar 4 '08, 05:25 PM

Re: Can anybody communicate with the operating system without the phpserver?

So, Jerry, do you have something to answer on that?

I have already told that "on my site" (on our server) there
are many scripts which does not belong to me (because we have many
users). I do not say that script is executed on the client machine.
The is executed on the server (where my scripts are also executed).
but the script is not written by me and it does not belong to me.

**Fro** · Mar 4 '08, 05:25 PM

Re: Can anybody communicate with the operating system without the phpserver?

>

If your host has any security at all, other websites will not be able to
write into your directory. Only the files YOU upload will be able to
write there.
>

Did you read carefully my previous post before you start to offend
me??? In my previous post I gave you and answer from the host-support
in which they prove that they have this problem!!! Why did you ignore
this post? Or you thing I misinterpreted the answer from the host-
support??? If it is the case can you show me where I misunderstood the
answer?

**Jerry Stuckle** · Mar 4 '08, 05:25 PM

Re: Can anybody communicate with the operating system without thephp server?

Fro wrote:

>If your host has any security at all, other websites will not be able to
>write into your directory. Only the files YOU upload will be able to
>write there.
>>

Did you read carefully my previous post before you start to offend
me??? In my previous post I gave you and answer from the host-support
in which they prove that they have this problem!!! Why did you ignore
this post? Or you thing I misinterpreted the answer from the host-
support??? If it is the case can you show me where I misunderstood the
answer?
>

No, your host's answer does not say that at all.

Do everyone a favor. Find another line of work.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Fro** · Mar 4 '08, 07:15 PM

Re: Can anybody communicate with the operating system without the phpserver?

>

No, your host's answer does not say that at all.
>
Do everyone a favor. Find another line of work.
>

You continue to discuss in your stupid way: no arguments, no logical
reasoning, just postulates and attempts to offend your opponents. What
is your IQ?

**Jerry Stuckle** · Mar 4 '08, 08:15 PM

Re: Can anybody communicate with the operating system without thephp server?

Fro wrote:

>No, your host's answer does not say that at all.
>>
>Do everyone a favor. Find another line of work.
>>

You continue to discuss in your stupid way: no arguments, no logical
reasoning, just postulates and attempts to offend your opponents. What
is your IQ?
>

A hell of a lot higher than yours. I also have a hell of a lot more
programming experience than you do - and a hell of a lot more experience
with security issues than you do.

You asked your question. You got your answer. I can't help it if you're
too stupid to understand you are the most probably culprit here!

I'm through with you.

<plonk>

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Fro** · Mar 4 '08, 08:45 PM

Re: Can anybody communicate with the operating system without the phpserver?

I just put in the google "Jerry Stuckle php" and click on the first
link :)

http://www.thescripts.com/forum/thread757088.html

**Fro** · Mar 4 '08, 08:45 PM

Re: Can anybody communicate with the operating system without the phpserver?

You continue to discuss in your stupid way: no arguments, no logical

reasoning, just postulates and attempts to offend your opponents. What
is your IQ?

>
A hell of a lot higher than yours. I also have a hell of a lot more
programming experience than you do - and a hell of a lot more experience
with security issues than you do.
>

It is even worser for you. In spite on the fact that you have 10s
years of the programming experience you cannot understand simple
things. But you making a progress. You finally understood that not
only my scripts can write to my directory! :)

**Anonymous** · Mar 5 '08, 02:05 PM

Re: Can anybody communicate with the operating system without the phpserver?

I can't believe this discussion is still going on, even though the right
answers have been given right from the start.

Check out what Fro wrote:

<ae199ba7-5eba-4f00-aecd-d0bc73fd357f@u7 2g2000hsf.googl egroups.com>

I made a directory to be writable for "nobody" (i.e.
for those who communicate with the operating system via the php-server
that I use).

<2cfb5d6b-4398-4486-ab75-4ef903030f4d@u6 9g2000hse.googl egroups.com>

The answer I got:
----------------------------------------------------
Yes, on servers where PHP runs as an Apache module
and .php scripts run under the Apache user nobody
this is possible. This is why setting 777 permissions
is always a concern from a security standpoint.

And the right answer was given by Tim:

<pmncs3ljru5rkv 1i95hsp8btr4a7g 87tt5@4ax.com>

It's certainly possible, but how would they have found your directory?

@Fro:

Setting 777 permissions is the same as leaving your door unlocked and
putting up a sign saying: "Invitation to everyone: Make yourself at
home! The door is unlocked and the alarm code is 12345." And when you
return home and find that someone has taken up your offer you go: "Who
ate from my plate? Who sat in my chair? Who slept in my bed?" and
complain to the person who built your house.

The real answer is: Don't set 777 permissions. Never ever. Because if
you do you allow your directory to be writable for everyone.

Bye!

**Fro** · Mar 5 '08, 03:35 PM

Re: Can anybody communicate with the operating system without the phpserver?

>

The real answer is: Don't set 777 permissions. Never ever. Because if
you do you allow your directory to be writable for everyone.
>

What than should I do? It is the only way I know to allow visitors of
my site to upload files. Do you know another way to reach the goal?

Can anybody communicate with the operating system without the phpserver?

Can anybody communicate with the operating system without the phpserver?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment