Topic: phpSysInfo

[mongolito404]

Hoi,
i'm trying to use phpSysInfo (phpsysinfo.sourceforge.net) on my SME server 5.1
As i find it insecure to allow anybody to view my server info i want to put phpSysInfo on an ibay.
But when i put phpSysinfo in an ibay (let's say phpSysinfo ebay) it doesn't work properly. It only shows information it gets from command line program (df and show) ant none of these i suppose it gets from /proc (info on CPU, PCI,...). But if i put it under my primary/html it works fine.
anyone has an idea?

[mongolito404]

oups seems that i don't read the forum before posting.
I've found the solution.
As many should guess it's related to the phpBaseDir stuff...
So I did a
/sbin/e-smith/db accounts setprop fool PHPBaseDir /home/e-smith/files/ibays/fool/:/proc
where fool is the ibay where phpSysInfo is.
And, without any surprise, it works (after signal-event).

I just wanna know, is setting the /proc on my phpbasedir a security hole?

[Luke Drumm]

As it the script in question lives in a publicly unaccessable IBay and doesn't process any user supplied input (AFAIK), I think you're about as safe you're going to get, irrespective of the proc permissions.  

Based on pure heresay and rumour, the proc stuff seems to be mostly output based streams so while somebody could use it to fiddle with your stats, I'm not sure if it's going to get them root access.

Regards,
Luke