Re: [Sheflug] PHP and Plusnet

[Alex Hudson <home [at] xxxxxxxxxxxxxx>]

On Tue, 2003-11-11 at 18:17, Ashe wrote:
> I found out something interesting about the cgi webspace servers that
> plusnet uses to allow its customers to have php access. It seems that
> the way it's configured means that all users on the system are in the
> same group, the upshot of this is that its perfectly possible to go
> into another users webspace, and grab any sql server password/other
> interesting hidden goodies. Now, maybe I'm naive, and they quite
> possibly have good reasons to set it up the way it is, but I think
> thats a dreadful bit of system configuration.

Hehehe, I think you'll find others have been here before:

http://www.alexhudson.com/documents/plusnet-cgi-faq
http://www.alexhudson.com/documents/plusnet-cgi-faq/password-security

(Short story: even with this bizarre configuration, you can make stuff
secure. But it butt uglee).

> Any ideas why they'd pull a stunt like that? Anybody heard of any
> other ISP's using a similar setup?

I haven't heard of similar personally, and have never seen similar.

But what the hey, I'm moving ISP soon enough anyway. Any of the usual
suspects will give you something less brane-damaged. I've certainly
recommended people away from them recently, but that's just my personal
opinion.

Cheers,

Alex.

___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.