As reported by German ZDnet today (2002-05-24) in article http://news.zdnet.de/story/0,,s2110809,00.html?020524165655 there is a new "live search engine" under Gridscan.com. It only requires you to put a one-line php-script from the Gridscan-homepage to your webserver, execute it once and leave the script at this location. To unsubscribe from the search engine simply delete the script. But the php-script-solution is a bit "risky": The php-script you have to download contains only the row: <? require("http://www.tobiaspreis.de/grid.php"); ?> This way the administrator of tobiaspreis.de could easily modify his grid.php to do almost anything on your webserver with full user rights of your php- scripts. Also is the server tobiaspreis.de a good target for hackers because this way they can gain access to a lot of large websites. In environments where php-scripts run under the the customers identity instead of "nobody" this bears a large security hole. Further more the "live search"-technic can result in a high amount of cpu- and harddisk-load. For a full explanation of the problems refer to the full comment on this problem in German language at: http://www.speedpartner.de/presse/020524.pdf By the way: Why doesn't it download from Gridscan.com but from a private homepage? Mit freundlichen Grüßen Michael Metz **************************************************** SpeedPartner, Inh. Michael Metz Neukirchener Str. 57, 41470 Neuss Tel.: 02137 / 929 829, Fax: 02137 / 137 17 E-Mail: infoat_private ****************************************************
This archive was generated by hypermail 2b30 : Fri May 24 2002 - 16:40:47 PDT