Posted by Sandman on 04/29/06 23:20

In article <Lc1146303849229750x9dadb4@localhost>,
nospam@geniegate.com (Jamie) wrote:

> <deletia>

I store all my db/passwd settings outside web server scope and require
them into my php scripts. You can't surf to these files.

BUt I was hacked nonetheless! Fact is that my community system allowed
for files to be uploaded to the web server through users galleries,
web forums and such - and I didn't have a check if the file uploaded
was a PHP file. So one person uploaded a .php file as an "image" in
his gallery (so there never was any doubt who did it).

Then he surfed to this php file as he would have surfed to his image.
Only, it wasn't an image, it was a PHP script that listed files on the
hard drive, or posted the content of them.

Luckily, the web server process doesn't have read access to anything
outside it's web server account, but it - obviously - has access to
these files outside of the document root, which he of course could
read, and did - and thus had complete access to my entire database
(through their custom php files, not through remote access to MySQL).
So he would upload custom php files that did all sort of things with
my databases. Luckily, his motive was not wreck havoc and did more or
less benign - although very irritating - things like changing
everyones account picture and so on.

I pressed charges, of course. Turns out he was a fifteen year old kid
and his parents got scared shitless. Hopefully he's learned a lesson.
The police didn't do anything more since I didn't want to take it any
further than to use them as intimidation.



--
Sandman[.net]

[Back to original message]