|
sparek-3, Thanks for your reply...
Yea I agree with you and that's what I mean... It seems like this is a huge security issue and more than likely every shared host is affected... I was totally assuming that cPanel updates were already taking this into consideration but I was wrong..
I can't believe SuPHP isn't a requirement for WHM as the main reason someone would use WHM would be for shared hosting/reselling...
Even .htaccess files (which could have path info to .htpasswd files and other information) .. these are automically set as 644 by cPanel upon account creation... which I think is a security risk..
What I don't get is why in a shared env cPanel would let any file (.dat, .cgi, .pl, .php etc whatever file) to have world-readable access in the /home/ directory... Wouldn't cPanel and Apache have taken this into consideration now with the zillions of shared hosts? I know there's php open_basedir but there are many other file types and situations. Bottomline whats in one home dir shouldnt be accesible by anyone outside of the homedir/ at least in the cPanel environment which most of the time is a "shared" environment.. Why wouldn't this have been thought of previously?
There are of probably millions of shared hosts where Word Press, Joomla, etc config files are set as 644 or higher allowing possible access to their files by other users in other home directories... I don't understand cPanel doesn't "auto" lock those files from world-readable access and work with apache to create a "mod_sharedhost" or something that will fully isolate a homedir (its requested scripts, processes, files etc) to the homedir's user/usergroup...
Bottomline... you can't always rely on your users to "chmod" properly ... there should be options in WHM and Apache for full isolation of a user's files regardless of your users sloppy permission settings...
|