Payday Loans - Cheap Flights - Northern Rock - Ringtone - Free RPG
PDA

View Full Version : Script breaks php security on win2003 XAMPP

eugene2006
Sep 9th 2006, 10:21 am
Script breaks php security on win2003 XAMPP
This is the script I've checked on my VPS WIN2003 XAMPP
http://php.spb.ru/remview/
http://php.spb.ru/remview/screen_mainwindow.html
http://php.spb.ru/remview/remview_2003_10_23.php

tranlate from rus to eng

http://www.translate.ru/url/tran_url.asp?lang=ru&url=http%3A%2F%2Fphp.spb.ru%2Fremview%2F&direction=re&template=General&cp1=NO&cp2=NO&autotranslate=on&psubmit2.x=47&psubmit2.y=7

and results are horrible ))
*complete* control over entire system - just like it would be a non GUI REMOTE ADMINISTRATOR...
So, how to disallow any script to move beyond it's top/root folder?
For instance if domain name is domen.com and it's placed in c:\vhosts\domen.com
I want any script in this domain not to go upper then / root => c:\vhosts\domen.com\

really need help, because this is a scary stuff
leet
Sep 9th 2006, 10:34 am
Change all your permissions to read-only and use write only in necessaried php files. And tell your hoster to set open_basedir "on".
eugene2006
Sep 9th 2006, 10:39 am
you did not pay attention as i see :)
but thanks for reply
leet
Sep 9th 2006, 10:42 am
That open_basedir command should fix your problem if I understood what you wanted, but seems like I didn't since you say so (:
eugene2006
Sep 9th 2006, 10:48 am
ok open_basedir sounds fine - does it protect top root folder of domain?
but if i want to restrict user in his folder then what?
lets say free hosting script make it look like this

myfreehoster.com/newuser/

how to stop newuser getting above his folder?
leet
Sep 9th 2006, 10:53 am
Yes it protects top root folder of domain. Users can reach only their domain section. Like c:\vhosts\blabla.com, and can't go above to vhosts. All you need is open_basedir command. If you're the owner of hosting then set it as on. That's all.
eugene2006
Sep 10th 2006, 5:46 am
thanks but i have a problem here

my vhosts looks like this


###################################################
<Directory "C:/aweb/freehosting">
Options Indexes Includes FollowSymLinks ExecCGI
AllowOverride all
Order allow,deny
Allow from all
</Directory>

<VirtualHost *:80>
DocumentRoot "C:/aweb/freehosting"
ServerName pcsny.org
ServerAlias www.pcsny.org
php_admin_value open_basedir "/"
Options +FollowSymLinks
RewriteEngine On
RewriteRule ^/users/([^/]+)(/(.*))?$ http://$1.pcsny.org/$3 [R=301,L]
RewriteCond %{HTTP_HOST} ^pcsny\.org
RewriteCond %{REQUEST_URI} ^(.*)
RewriteRule (.*) http://www.pcsny.org/%1 [R=301,L]

</VirtualHost>

<VirtualHost *:80>
ServerName pcsny.org
ServerAlias *.pcsny.org
VirtualDocumentRoot "C:/aweb/freehosting/users/%1/"
php_admin_value open_basedir "C:/aweb/freehosting/users/"
</VirtualHost>

####################################################

i tried to fix each new user to his own folder /users/%user%/

but alas no can do
VirtualDocumentRoot "C:/aweb/freehosting/users/__%1/"
php_admin_value open_basedir "C:/aweb/freehosting/users/__"

this trick does not work it says
in error logs that cant find %newuser%__

how to jain each user in his folder??