Hi,
I have discovered security hole I think:

If I will create symlink in fileman's manage catalog, for example this way:
ln -s / link_to_root
Then root catalog will accessible via fileman and I will able to surf in all server's harddrive!

May be you have to disable symlinks processing?

Regards,
Artyom

Can you show or teach me how to do as you say?
I want to try it.
Can you show or teach me ?
Mail me(louts@taiwan.com) and teach me,thanks!

Hi,

If you have access to create that symlink then you can view the data already? Or am I missing something?

Cheers,

Alex

--
Gossamer Threads Inc.

Yes, I can view.
But problem is that with fileman I can view data not under my account, but under account that web-server running.
So, I can view and EDIT data that I have no access under my real account.
For example, I can edit web-server's logs and other data generated by web-server scripts.

Regards,
Artyom.

Yes, but this isn't a problem with FileMan, this is a problem with how the web server is setup. If you have access to create cgi scripts that run as the webserver, then you effectively have the same rights as the webserver.

For instance, if I can create a cgi script, I could do:

#!/bin/sh
rm /path/to/web/serv/log

and run that and it would erase the web server logs. There is nothing special that FileMan is doing.

Your ISP should consider using CGIwrap or suEXEC which runs your cgi programs as your own user. Under that environment, FileMan would not give you any extra access.

Does that make sense?

Cheers,

Alex

--
Gossamer Threads Inc.

Yes, It makes sense I think. I have not thought about suEXEC.

BTW, is it possible to configure Fileman to have access only to writeable catalogs?

Regards,
Artyom.