[phorm] [Phorm:] Re: Security Hole

  • From: webbbs@xxxxxxxxx
  • To: support@xxxxxxxxx
  • Date: 3 Mar 2004 13:29:05 -0000

The following new message has been posted on Phorm Support Forum at 
<http://www.phorm.com/support/>. 

*************************************************************************** 

  MESSAGE:  (#3796) Re: Security Hole 
            <http://www.phorm.com/support/?rev=3796> 
  AUTHOR:   Holotech 
  DATE:     March 3, 2004 at 8:29 a.m. EST 

  Reply To: (#3793) Security Hole 
  Author:   superwebgirl 
  Date:     March 2, 2004 at 8:31 a.m. EST 

> I am by NO MEANS an expert in this area, but I did 
> notice that if you do not put an "index.html" file in 
> each of the directories, they are vulnerable to being 
> downloaded. 

I wouldn't really call this a security hole. All it does is allow someone to 
see what files are there, via a browser. All the files and directories there 
need to be accessible to Phorm, which means that you either have the 
permissions open (in which case you shouldn't have any sensitive information 
in any viewable files such as text logs; PHP files are not viewable), or you 
are running Phorm under your user ID, and the file permissions are closed 
(ideal scene). 

Of course, if you have directory permissions open, an index.html file won't 
stop someone else on your server from viewing their contents, and if you have 
file permissions open, all files are viewable to others on your server 
(assuming you're on a shared server). 

Someone viewing your plugins directory can see what plugins you have 
installed, but all plugins are designed to run only when called from Phorm. 

I think I will expand the "Security Considerations" section of the 
documentation with the next release. 

*************************************************************************** 

This is an automatically-generated notice.  If you'd like to be removed from 
the mailing list, please visit Phorm Support Forum at 
<http://www.phorm.com/support/>, or send your request to webbbs@xxxxxxxxxx  If 
you wish to respond to this message, please post your response directly to the 
board.  Thank you! 
-------------------------------------------------
You are receiving this message because you are subscribed to the Phorm mailing 
list. To send messages to the mailing list, simply send email to 
phorm@xxxxxxxxxxxxx from the address you have subscribed. You may unsubscribe 
from the list by sending email to phorm-request@xxxxxxxxxxxxx with 
'unsubscribe' in the SUBJECT field.

Other related posts:

  1. Home
  2. phorm
  3. Archive
  4. 03-2004