1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Script breaks php security on win2003 XAMPP

Discussion in 'Security' started by eugene2006, Sep 9, 2006.

  1. #1
    Script breaks php security on win2003 XAMPP
    This is the script I've checked on my VPS WIN2003 XAMPP
    http://php.spb.ru/remview/
    http://php.spb.ru/remview/screen_mainwindow.html
    http://php.spb.ru/remview/remview_2003_10_23.php

    tranlate from rus to eng

    http://www.translate.ru/url/tran_url.asp?lang=ru&url=http%3A%2F%2Fphp.spb.ru%2Fremview%2F&direction=re&template=General&cp1=NO&cp2=NO&autotranslate=on&psubmit2.x=47&psubmit2.y=7

    and results are horrible ))
    *complete* control over entire system - just like it would be a non GUI REMOTE ADMINISTRATOR...
    So, how to disallow any script to move beyond it's top/root folder?
    For instance if domain name is domen.com and it's placed in c:\vhosts\domen.com
    I want any script in this domain not to go upper then / root => c:\vhosts\domen.com\

    really need help, because this is a scary stuff
     
    eugene2006, Sep 9, 2006 IP
  2. leet

    leet Notable Member

    Messages:
    3,423
    Likes Received:
    369
    Best Answers:
    0
    Trophy Points:
    250
    #2
    Change all your permissions to read-only and use write only in necessaried php files. And tell your hoster to set open_basedir "on".
     
    leet, Sep 9, 2006 IP
  3. eugene2006

    eugene2006 Peon

    Messages:
    24
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    you did not pay attention as i see :)
    but thanks for reply
     
    eugene2006, Sep 9, 2006 IP
  4. leet

    leet Notable Member

    Messages:
    3,423
    Likes Received:
    369
    Best Answers:
    0
    Trophy Points:
    250
    #4
    That open_basedir command should fix your problem if I understood what you wanted, but seems like I didn't since you say so :)
     
    leet, Sep 9, 2006 IP
  5. eugene2006

    eugene2006 Peon

    Messages:
    24
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    ok open_basedir sounds fine - does it protect top root folder of domain?
    but if i want to restrict user in his folder then what?
    lets say free hosting script make it look like this

    myfreehoster.com/newuser/

    how to stop newuser getting above his folder?
     
    eugene2006, Sep 9, 2006 IP
  6. leet

    leet Notable Member

    Messages:
    3,423
    Likes Received:
    369
    Best Answers:
    0
    Trophy Points:
    250
    #6
    Yes it protects top root folder of domain. Users can reach only their domain section. Like c:\vhosts\blabla.com, and can't go above to vhosts. All you need is open_basedir command. If you're the owner of hosting then set it as on. That's all.
     
    leet, Sep 9, 2006 IP
  7. eugene2006

    eugene2006 Peon

    Messages:
    24
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    thanks but i have a problem here

    my vhosts looks like this


    ###################################################
    <Directory "C:/aweb/freehosting">
    Options Indexes Includes FollowSymLinks ExecCGI
    AllowOverride all
    Order allow,deny
    Allow from all
    </Directory>

    <VirtualHost *:80>
    DocumentRoot "C:/aweb/freehosting"
    ServerName pcsny.org
    ServerAlias www.pcsny.org
    php_admin_value open_basedir "/"
    Options +FollowSymLinks
    RewriteEngine On
    RewriteRule ^/users/([^/]+)(/(.*))?$ http://$1.pcsny.org/$3 [R=301,L]
    RewriteCond %{HTTP_HOST} ^pcsny\.org
    RewriteCond %{REQUEST_URI} ^(.*)
    RewriteRule (.*) http://www.pcsny.org/%1 [R=301,L]

    </VirtualHost>

    <VirtualHost *:80>
    ServerName pcsny.org
    ServerAlias *.pcsny.org
    VirtualDocumentRoot "C:/aweb/freehosting/users/%1/"
    php_admin_value open_basedir "C:/aweb/freehosting/users/"
    </VirtualHost>

    ####################################################

    i tried to fix each new user to his own folder /users/%user%/

    but alas no can do
    VirtualDocumentRoot "C:/aweb/freehosting/users/__%1/"
    php_admin_value open_basedir "C:/aweb/freehosting/users/__"

    this trick does not work it says
    in error logs that cant find %newuser%__

    how to jain each user in his folder??
     
    eugene2006, Sep 10, 2006 IP