Community Forums
Connect with us on LinkedIn
How to disallow php.ini overriding?
  
+ Reply to Thread
Results 1 to 4 of 4
  1. 06-16-2007 10:59 PM #1
    Top Line
    Top Line is offline
    Member
    Join Date
    Jan 2004
    Posts
    8

    Default How to disallow php.ini overriding?

    Hello

    some accounts was hacked yesterday on our server and by tracking the hacking method we found the attackers was bybassing the user priviliges by this function smylink (it was disabled in /usr/local/lib/php.ini before)
    + and bybassing safe_mode and disabled functions by uploading php.ini with dafault settings on the user account..

    How can we disallowing overriding php.ini?

    any help will be appreciatted.

    Our System
    Cent 4.5
    Cpanel
    Cgi Module (phpsuexec enabled)


    Thank you
    Reply With Quote Reply With Quote
  2. 06-18-2007 07:17 AM #2
    psychodreams
    psychodreams is offline
    Member
    Join Date
    Apr 2004
    Posts
    84
    Send a message via AIM to psychodreams Send a message via Yahoo to psychodreams

    Default :-)

    This shouldnt happen are you using suexec and apche compile with phpsuexec. Ive had mine set up like that for years and sites that get hacked were not able to spread across the server
    Reply With Quote Reply With Quote
  3. 06-18-2007 09:42 AM #3
    sparek-3
    sparek-3 is offline
    Member
    Join Date
    Aug 2002
    Posts
    1,120

    Default

    There is some truth to what psychodreams is saying. If you are running PHP as CGI, then PHP scripts aren't executed by a shared username throughout the server, so there's not a lot of damage that can be done to the server, just to that specific account.

    That being said, the only way I know to to disallow custom php.ini and run PHP as CGI is to use a patched suPHP system. I wrote a guide some time ago for doing a custom suPHP install on a cPanel server:

    http://www.spareknet.org/howtos/suphp.php

    I believe cPanel has since begun including suPHP into their new easyapache3 system, although I think it is only for Apache2. The guide I wrote only applies to Apache 1.3 and to suPHP 0.6.1. Personally, if you are just getting started with this, I might recommend waiting and seeing what the cPanel suPHP does and how it approaches this situation.
    Reply With Quote Reply With Quote
  4. 05-09-2009 04:01 PM #4
    nitro777
    nitro777 is offline
    Registered User
    Join Date
    Apr 2008
    Posts
    4

    Default

    Hello ,

    You just create an empty file : .htaccess

    Code:
    suPHP_ConfigPath /usr/local/lib/php.ini
    Those config mean the default php config is located in the correct path

    and make sure to do attrib for no change to the .htaccess for the root only could be make attrib for allow you to edit that file : .htaccess


    and put the .htaccess in the /home/ directory so here each account by apache module cannot create and use another php.ini file in his account dir

    thank you
    Reply With Quote Reply With Quote
«   Scripts (php) slow to perform lookups | Server Information error »     
Similar Threads & Tags
Similar threads

  1. possible to disallow custom php.ini via whm?
    By uninvited13th in forum Security
    Replies: 2
    Last Post: 05-11-2011, 10:24 PM
  2. php.ini and override default php.ini
    By areh in forum cPanel and WHM Discussions
    Replies: 6
    Last Post: 08-24-2009, 05:45 PM
  3. SuPHP, prevent overriding PHP ini but still allow them to set options?
    By celliott in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 05-15-2009, 06:50 AM
  4. how do you usesuphp and prevent overriding system php.ini?
    By Kaydiddle in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 04-06-2009, 04:35 PM
  5. Local PHP.ini without overriding global
    By Silent Ninja in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 11-14-2008, 11:05 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube