folderblog
What is folderblog?
Folderblog is a free PHP script that automatically displays the images placed in a given directory, no database needed. It can be used as a blog or gallery — and anything in between.

» demo blog   » learn more   » download now

Discussion
A note on posting PHP errors(back to index)
It's a small thing, but something worth mentioning all the same. When you post error messages here, you might want to not include the full absolute path to file that caused the error, but rather just the file name and line number (which is all that really matters).

For example, rather than something this:

/home/virtual/public_html/htdocs/fb.php on line 47

Just post this:

fb.php, line 47

Announcing to the world what your server's directory structure is like is giving potencial hackers a mine of useful information, which doesn't just affect you but other clients of whatever shared hosting company you're using.

Nothing is hack proof, but making it easier for hackers isn't cool, and making this site a repository of hacker-useful information on a wide range of hosts probably isn't a good idea either.
posted by Elwing on 22 Aug 05 at 7:04 AM
Thanks for that hint, Elwing.

I've got a similar issue on this topic: What are the potential threats to using something like CHMOD 777, as it is often advised on these boards? AFAIK, this gives full permissions to anyone (me/group/world), so this smells like trouble to me.
posted by Dominik on 6 Sep 05 at 10:00 AM
Yes, it is. And if a user is aware of the directory format (which they would be, if they referred to this site), then they will know what folders and files have what permissions.

However, there's not a lot that can be done about this in general terms. PHP often runs as 'nobody', and if it's running in Safe Mode, you're stuck with world permissions. This an issue that all flat file PHP scripts suffer from.

There's a couple of things you can do here, though. First, and simplest, is to change the folder names for those folders that have write permissions (for the RRS feed and such, this will mean editing the core PHP files, like fb.php). This will make it harder for a hacker to know which locations can be written to.

Better yet, if your hosted server allows this, move all those write enabled folders and files out of the web accessible areas (htdocs). If you're NOT showing the world what the file structure of your server is (as I mention above), then a hacker will have a real hard time finding these locations and doing something about it.
posted by Elwing on 7 Sep 05 at 7:24 AM
Post a Reply:

Name:    Remember me
URL:    
(include http:// or mailto:)
(back to index)