PHP Classes

This system is really dangerous!

Recommend this page to a friend!

      NewWay PHP File Manager  >  All threads  >  This system is really dangerous!  >  (Un) Subscribe thread alerts  
Subject:This system is really dangerous!
Summary:you give root access to a file system
Messages:6
Author:Dwaine Halberg
Date:2017-10-10 00:58:56
 

  1. This system is really dangerous!   Reply   Report abuse  
Picture of Dwaine Halberg Dwaine Halberg - 2017-10-10 00:58:56
The idea you have is good, but the implementation is very risky to someones file system. A hacker can easily get by your security and wipe the system from the host computer. It's important to always separate code from userland. Use includes and have 1 header/footer/menu system throughout the application so you are not resending headers all over the place, and your security is being send/read from 1 central point what you have tricky and error prone on un-familiar systems. NEVER TRUST USER INPUT you do every minimal if any input checks on your forms, find a validation class or use the jquery validator to make sure you get the info you expect. Separate all your classes into a central location and autoload, class method should return true/false or data, not html formatted messages, put those in your language file and call them as needed. All formatting of data is done in your outputs file (templates). Last don't use distro names, call it unix or windows to accommodate the differences if needed and limit the file management usage to site specific folders not linux or windows systems folders. Good luck and code safely!

  2. Re: This system is really dangerous!   Reply   Report abuse  
Picture of naveen naveen - 2017-10-12 10:49:20 - In reply to message 1 from Dwaine Halberg
thanks for your concern on this issue, it would be really helpful at which point the hacker can breach the security of this system.
To add to this reply
1. I am already building a template system to separate PHP and html contents
I m very interested to know where my system can be break down by a hacker, can you make a issue on github, it would really improve the quality of this software

Thanks,
Naveen

  3. Re: This system is really dangerous!   Reply   Report abuse  
Picture of Dwaine Halberg Dwaine Halberg - 2017-10-12 14:35:06 - In reply to message 2 from naveen
what if your file uploads do not contain htmlentities, instead are viruses, limit file types. What if someone puts in a command like: mkfs -t filetype /dev/DEVICE, filter commands. Here's two examples.

  4. Re: This system is really dangerous!   Reply   Report abuse  
Picture of naveen naveen - 2017-10-12 23:37:00 - In reply to message 3 from Dwaine Halberg
Im worried that it is not a multi user software, every operation requires login from aadmin{is there any action of the above mentoned can be performed without that?), i have designed this software with intention that one should have full control over their server via this software,only a single user can manage their files, then could they intend to upload a virus to their own server?
Can anyone upload files without logging in?
Thanks,
Naveen

  5. Re: This system is really dangerous!   Reply   Report abuse  
Picture of Dwaine Halberg Dwaine Halberg - 2017-10-13 02:50:03 - In reply to message 4 from naveen
if for some reason someone gains unauthorized access or get's someones password and logs in, it could easily happen plan for it!, in general limit access to the file system of the user, not the whole system. Let sftp or ssh handle that, these files are on a webserver and anything can happen.
Here's what I was looking for when I noticed your filemanager, for my cms I use some filemanager like elfinder, it's ok but integration with the rest of the php is difficult, so what I had thought your system would do being pure php is be better able to integrate. A common type template with the ability to hook to my site security to authenticate a user. If you show the directory tree of the site and integrate editing in like codemirror so the user can edit their templates & css files, as well make a common files directory for uploading, this is very attractive, maybe a little different direction than you planned, check out ezfilemanager, good but again not good enough. If you can make this more php type file manager I thinkit could be quite usefull for many people who don't build wordpress sites like me, create it with hooks for all the popular frameworks, fatfree, larvel, cakephp and etc..

  6. Re: This system is really dangerous!   Reply   Report abuse  
Picture of naveen naveen - 2017-10-13 03:17:52 - In reply to message 5 from Dwaine Halberg
hey,
Can you make a issue here
github.com/naveen17797/newway-filem ...
We would consider about restricting file types and restrict the harmful actions done by user
The main reason behind the project is i got frustrated with the file managers of hosting companies.So i build this thing which will give full access to the admin, so that he can execute his actions with authenciation.
On creation of this thread i thought there is some bug in login system, now i have understood your issue, we will make a new branch in near by future
ABOUT TEMPLATING SYSTEM it will be established soon,
Thanks,
naveen

 
For more information send a message to info at phpclasses dot org.