Knowledgebase

Security problem with php implode syntax in shared hosting.

Posted by sanbad, 04-24-2006, 10:13 AM
Hi I am a webmaster. I support some websites. I find a problem in some hosting services. In these hosting a user that use implode syntax in a php script can access to other account's file. So he/she can implode configuration portal files from other account and find database's name,username&password and so it can access to dbase and drop it or use other action with dbase! For exam He can use this address in implode syntax : /home/otherAccountName/public_html/portalFolder/config.php This is occur in all hosting services or only occur in these hosting services that I work with them? Why we see this problem? What is webhosting administrator must do for solve this problem? I know if we use syntax Error_reporting (0); in php script hacker can not find account name but I want users can not impload other account's files. Please help. Thanks Last edited by sanbad; 04-24-2006 at 10:16 AM.
Posted by gbjbaanb, 04-24-2006, 10:38 AM
look up open_basedir in the PHP documentation and implement it for your sites. Also, disable the exec() calls in PHP.
Posted by sanbad, 04-24-2006, 12:00 PM
Thanks If possible, please explan about Disableing exec() calls. who must do this? Server admin? reseller admin? webhosting enduser? If disable exec() call. portl's that use require, include and implode syntaxes in that scripts; can work properly?
Posted by gbjbaanb, 04-24-2006, 01:17 PM
Here's a link to get you started, but if you're serious about securing your site, I suggest hiring someone who will do it for you, or take the time to learn for yourself. In both cases, the server admin will have to do this - you will need to update the virtual host directives for each site, or the php.ini, to include the necessary php directives. http://uk.php.net/exec to disable exec, find the line "disable_functions =" in php.ini and change it to "disable_functions = exec".


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
server.lu network problem? (Views: 667)
Looking for a reseller account in UK (Views: 576)
Another Sago Outage (Views: 636)
Need Help for file attachment in asp contact form (Views: 616)
CMS for RTL sites?Like Arabic?Is there any? (Views: 619)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.