Windows and PHP
I'm writing a script to rename files, its a batch renaming script since I usually rename large amounts of files. With this script I found a rather curious flaw or something. I'm not sure if this holds true for every platform or not, but I found this in windows.
My dad protected a directory from everyone but himself when he's logged on. In explorer I can't open the folder no matter how I try. With this script, wich is INCREDIBLY simple right now, I can open it no problem. I can most likely read the files and get what may be private data. I don't know if this has been talked about before, I'm sure it has, but I thought I'd bring it up.
[James Logsdon]
Mark Hensler posted this at 03:06 — 8th January 2004.
He has: 4,048 posts
Joined: Aug 2000
Thank you, Billy G.
druagord posted this at 16:39 — 9th January 2004.
He has: 335 posts
Joined: May 2003
This is probably because on windows php run as the webserver user IUSR_machinename wich get more rights then your user.
m3rajk posted this at 17:19 — 13th January 2004.
They have: 461 posts
Joined: Jul 2003
another diff between windows and operating systems done right:
user priviledges
you just exploitd a problem with window user privledges. what os? if you use a wnt (vms anyone?) base i'll be more suprised than 95/98/me
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
druagord posted this at 17:22 — 13th January 2004.
He has: 335 posts
Joined: May 2003
It cna't be one of those 95/98/me since they don't support any kind of user priviledge
necrotic posted this at 02:14 — 17th January 2004.
He has: 296 posts
Joined: May 2002
It's windows2000 (NT Based).
m3rajk posted this at 02:56 — 18th January 2004.
They have: 461 posts
Joined: Jul 2003
95/98/me supports multiple users. i thought it merely locked the naming/editing to the creator unless otherwise told to.
the guy that made vms was contracted to help out in wnt. that's why it was given wnt before they came up with the words for the acronym. i figured it'd be better because of that.
apparently it's better with user privledges but doesn't quite do that right. i know on *nix if it's called from your user it's you, but from the webserver (go to it through a browser)it operates as the webserver (and subsequently, would theoretically be possible to have the same effect if you're not careful... i haven't tested it so i don't know for sure)
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.