Script breaks php security on win2003 XAMPP This is the script I've checked on my VPS WIN2003 XAMPP http://php.spb.ru/remview/ http://php.spb.ru/remview/screen_mainwindow.html http://php.spb.ru/remview/remview_2003_10_23.php tranlate from rus to eng http://www.translate.ru/url/tran_url.asp?lang=ru&url=http%3A%2F%2Fphp.spb.ru%2Fremview%2F&direction=re&template=General&cp1=NO&cp2=NO&autotranslate=on&psubmit2.x=47&psubmit2.y=7 and results are horrible )) *complete* control over entire system - just like it would be a non GUI REMOTE ADMINISTRATOR... So, how to disallow any script to move beyond it's top/root folder? For instance if domain name is domen.com and it's placed in c:\vhosts\domen.com I want any script in this domain not to go upper then / root => c:\vhosts\domen.com\ really need help, because this is a scary stuff
Change all your permissions to read-only and use write only in necessaried php files. And tell your hoster to set open_basedir "on".
That open_basedir command should fix your problem if I understood what you wanted, but seems like I didn't since you say so
ok open_basedir sounds fine - does it protect top root folder of domain? but if i want to restrict user in his folder then what? lets say free hosting script make it look like this myfreehoster.com/newuser/ how to stop newuser getting above his folder?
Yes it protects top root folder of domain. Users can reach only their domain section. Like c:\vhosts\blabla.com, and can't go above to vhosts. All you need is open_basedir command. If you're the owner of hosting then set it as on. That's all.
thanks but i have a problem here my vhosts looks like this ################################################### <Directory "C:/aweb/freehosting"> Options Indexes Includes FollowSymLinks ExecCGI AllowOverride all Order allow,deny Allow from all </Directory> <VirtualHost *:80> DocumentRoot "C:/aweb/freehosting" ServerName pcsny.org ServerAlias www.pcsny.org php_admin_value open_basedir "/" Options +FollowSymLinks RewriteEngine On RewriteRule ^/users/([^/]+)(/(.*))?$ http://$1.pcsny.org/$3 [R=301,L] RewriteCond %{HTTP_HOST} ^pcsny\.org RewriteCond %{REQUEST_URI} ^(.*) RewriteRule (.*) http://www.pcsny.org/%1 [R=301,L] </VirtualHost> <VirtualHost *:80> ServerName pcsny.org ServerAlias *.pcsny.org VirtualDocumentRoot "C:/aweb/freehosting/users/%1/" php_admin_value open_basedir "C:/aweb/freehosting/users/" </VirtualHost> #################################################### i tried to fix each new user to his own folder /users/%user%/ but alas no can do VirtualDocumentRoot "C:/aweb/freehosting/users/__%1/" php_admin_value open_basedir "C:/aweb/freehosting/users/__" this trick does not work it says in error logs that cant find %newuser%__ how to jain each user in his folder??