Re: write with cURL

Tim Greer wrote:
Tim Greer wrote:

Tim Greer wrote:

Jerry Stuckle wrote:

...

an account on my server. Plus, in order to do it,
I'd have to set up an entire website for you, etc. I'm not about to
do it.

Now if you were a paying client, I would do so.
...
You can email me - my (munged) address is in my sig.
...
As I said - you've got my email address. Now show me how to do it.
...
My (munged) email address is in the sig of every post. The fact you
are making excuses and didn't send me an email shows you can't do
it.
...
Become a paying client and I'll set it up for you.
...
Become a paying client and I'll give you an account on my system.
Email sent Fri, 27 Feb 2009 14:26:43 -0500 (11:26 PST).

Dear Jerry Stuckle,

Regarding the usenet thread where you've agreed to allow me to prove
that your PHP setup is potentially not secure from user's reading
each other's files using PHP, you've stated that I would have to pay
for an account.

This is fine. Please let me know the price for your lowest priced
shared hosting account and I will promptly remit payment. Please
also let me know the methods of payment available (such as paypal, or
a merchant interface).

By accepting this, you agree that I am allowed to test the security
of your PHP install, and not cause any damages or access any data
that would be against state or federal laws, and that this is simply
to illustrate that your PHP setup would allow one user on one account
to use PHP to access a file readable by the web server's user/group
on another, separate account.

Therefore, if you can ensure that you have some test setup with a
temporary user or your own, and not for one of your normal shared
hosting users, that would be best. I remind you that I'm not
interested in accessing any other data or doing anything malicious on
your server, but to example how your PHP setup is not as secure as
you believe it to be.

Thank you,
Tim Greer


Be assured that I will not post any of the account information or the
information regarding the server name, login, or IP publicly. This
is just a copy of what I have emailed to you.
Also, please don't avoid this by setting some unreasonably high price
for your lowest hosting plan, acting like you have to charge some high
premium because your services are "so specialized", when this is just
a
very basic shared hosting account. I'm willing to do my part and
actually pay to show you, so don't try and avoid this because I called
your bluff. There's no reason why you can't have me show you, even if
you've actually said you needed to charge me to host the account, just
to prove what I'm saying to you.

I pretty much called this one 100%, word for word. With no replies at
all, I searched google for his site and didn't find one, but found
Jerry's phone number and called and talked to him for a little bit
(obviously caught him off guard. We had a civil conversation, unlikely
on usenet). No reply to my email at any point, by the way.

Basically, he said he doesn't do hosting, and that he only does
development and would have to charge me for site development and
hosting, because that's how he makes his money. I explained he's not
selling me the service, and how much would he charge me to just set up
an account (nothing more, just need him to run adduser in shell and
then add me to log in over FTP), since he said I'd have to pay for his
time.

He explained he only does full site development, wouldn't budge on the
matter and after asking a few times specifically about his lowest site
development costs, he finally gave me am amount ($200 (two-hundred
dollars)), stating that he doesn't have an automated system to set up
the accounts and that this is how he makes his money.

Apparently the difference of setting me up with an account and to show
him an example for 5 minutes, is going to cost at least $200. I
personally am sure he doesn't feel comfortable giving an account on his
server to someone he's argued with on usenet, and I can understand
that, but he says his system is secure, that wasn't his concern (okay,
then). I gave a very rough example about how this can be done, though
I didn't go into detail (I explained it's difficult to outline, which
is why I wanted to show him). He said he didn't think it would work,
but he didn't try it either. So, we're at a stand still.

I am unwilling to spend $200 just to show him what I mean, which will
work (I know people that use the same type of setups, thinking they can
get around the security issues. He can insist he can and I can insist
he cannot, but without a reasonable means to prove it, it once again
falls back to an argument on usenet, which is pointless. I've made
every effort to show proof, but I guess it's easier to argue with
people on usenet when one can't be proven wrong. So be it. I welcome
anyone curious that uses a similar setup to allow me to show them, if
they want, simply because it's important for people to know what is
truly completely secure or not, and I don't think any user with an SSI
or PHP script (or other) being able to read another user's script as
being secure (and that is what it comes down to).

I didn't deny Jerry's method is better than world write, and I didn't
suggest world write was a good idea (I only told the OP that this is
one of the only ways they can write to a file on the host they are
using, but suggested it's a bad idea and to use another method). It's
as simple as that, and I'm not able to prove it, because in the end,
Jerry wasn't willing to allow me to on his system, even after saying so
(he avoided it by demanding an unreasonable $200 fee so I could show
him something that takes a whole 5 minutes from setup to example). It
is for the benefit of everyone to know what is going to actually work
or not, but oh well. I think I've proven my point here, and the likely
follow ups claiming otherwise or that the Apache group method is
actually secure and continue to argue about it (and not allow me to
prove otherwise) will unlikely convince anyone. My offer remains (for
a reasonable price).

I can appreciate the method Jerry uses is better than not, and I only
posted to defend myself from accusations accusing me of somehow saying
world write was a good idea, or that hi method is just as secure as the
one I suggested would be best (because it's not). It comes down to
some pretty basic things about how Apache works (and needs to work)
that can be exploited (and this is completely separate of any PHP
settings one can try). While explaining just one very simple aspect
and method (there are many) to Jerry, it became clear he didn't
understand what I meant or how this security threat existed. It's not
that I didn't realize it was a waste of time, since arguing on usenet
is as well, when someone refuses to listen, but I knew in the end that
he'd avoid facing being exposed, thereby removing all credibility to
his arrogant claims about how he knows what he's doing and no one else
does.

Instead of simply discussing this, he went on the attack, so I replied
and invited a way to prove it on both systems. It's too bad when
people are that concerned about being wrong, that they are unwilling to
learn something, especially when that knowledge helps better protect
their own clients (and dare to suggest I was being reckless for simply
suggesting to the OP about he'll need world write permissions on HIS
current host, even after warning the OP it's not a good thing/risky
using such permissions). Why go on the attack, if you are going to go
to extremes to avoid facing the issue? In the future, a different and
civil attitude asking how it would work/what someone means (even if you
don't believe it), is far better than accepting or offering your own
challenge for them to prove it, and then say "well, I'll need at least
$200 to set up an account for you, because I do development". So? This isn't a development issue, it's about how much to get you to take
2 minutes to set up the account. I'd have more respect for someone
that just said they're not going to allow some usenet poster they don't
like to have a physical account on their server or say they don't feel
comfortable about it. There's worse things in the world than being
wrong, but there's no reason to be so aggressive about your arguing
methods that you force someone to put you in a situation where you're
worried about embarrassing yourself. I don't even know what more I can
say, but I do appreciate that we could speak on the phone in a civil
manner (perhaps if we did originally, this would never have escalated). Oh well, I tried.

Sorry, I'm not on usenet or email 24/7. I do do work, you know, and don't always respond immediately. As a matter of fact, I was working on a response when you called.

Yes, I do site development. And as I explained to you, I do custom development - including custom web server setup. It means I do everything manually - I have no automated process (it's not worth the time and effort to automate for the few I do).

And no, my time is the only thing I have to sell, and I'm not going to spend the time manually setting up a site without getting paid, and it's not a $3.95 bargain basement account.

And yes, I do control who has access to my servers. With my customers I have a contract, and if they do anything to harm the servers, I have legal redress. Not that any of them would - I pick my customers carefully, also, and don't let just anyone on the servers.

And yes, I understand what you explained to me on the phone. But the first step requires access the users don't have - so the rest of it is immaterial.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

Relevant Pages

  • Re: Offline files of db to new server using /DisasterRecovery
    ... backup since copying offline files off of old server to temporary server ... E2K3 because now-non-existent 5.5 service account still present in AD config ... AG's msExchLegacyAccount, msExchLegacyDomain, msExchEncryptedPassword ... Setup /DisasterRecovery must have read in AD references somewhere to the old ...
    (microsoft.public.exchange.setup)
  • Re: write with cURL
    ... shared hosting account and I will promptly remit payment. ... simply to illustrate that your PHP setup would allow one user on ... information regarding the server name, login, or IP publicly. ... He explained he only does full site development, ...
    (alt.php)
  • Re: Sending mail, error 550 sender verify failed
    ... internet) One of the screens will be email domain name. ... During setup i left it blank. ... >> If you are downloading email from a pop3 account, ... >>> I am testing a SBS server 2003 setup for a small office, with 2 nic's, ...
    (microsoft.public.windows.server.sbs)
  • Re: Install of SMS not detecting Active Directory
    ... service account until the site is installed and the services start. ... Running setup as local administrator will not work very well, ... > installation fails immediately after answering the options with an error ... > stating SQL server is not available. ...
    (microsoft.public.sms.setup)
  • general load balancing issues
    ... Up until now, I had a setup with 4-5 webservers, one 'main' server on ... and the ones involving PHP ...
    (freebsd-hackers)