Friday shitlist: PHPShell

I can’t decide which should be on my shit list: PHPShell or the staff member who installed it in his account with public access.

I suppose you should blame the users, not the technology, right? Kind of a cool utility if you have no regard for security. Unfortunately, someone was using it to launch a DOS attack on a gaming server.

2 thoughts on “Friday shitlist: PHPShell”

  1. I’m sorry to hear your problems… But as the author of PHP Shell, I would of course say that you should blame whoever installed it on your server :-)

    Or better yet: blame the one who installed PHP so that different users can interfere with each other so easily. Having a webserver running several virtual hosts as the same unprivileged user (“nobody” or similar) is rather fragile since the mistake of user A can cause lots of trouble for user B. Having the PHP scripts run as different users gives better security by limiting the amount of trouble that user A can make to his or hers own files.

    Anyway, I hope you were able to get the server back up quickly.

  2. Yeah – judging by the comments on your site, you’ve gotten a lot of flack for writing this utility. I suppose I should have included myself on the shit list since I’m the one who installed php. I can’t wait until the guy who installed it gets back from vacation, I’m going to give him so much shit for not just using SSH.

Comments are closed.