The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

best way to secure this

Discussion in 'General Discussion' started by Ben, Sep 20, 2003.

  1. Ben

    Ben Well-Known Member

    Joined:
    Aug 19, 2002
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    I've already posted this here

    http://www.webhostingtalk.com/showthread.php?s=&postid=1481764

    But I thought I'd try to get a more cPanel specific feel for the problem

    We have a few customers on our servers who use code similar to this

    PHP:
    <?php 
       
    if (isset($x)) { 
         include(
    $x); 
       } else { 
       include(
    'main.htm'); 

    ?>
    However, this unfortunately appears to allow anyone to craft a URL to pass system commands to the server, by setting x= to whatever they want.

    What's the best way to secure against that? Is their anyway to secure against it short of changing the code?

    cPanel.net Support Ticket Number:
     
  2. WeMasterz5

    WeMasterz5 Well-Known Member

    Joined:
    Feb 24, 2003
    Messages:
    361
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Miami
    I am to understand that this is with someone that has access to an account on a server correct

    cPanel.net Support Ticket Number:
     
  3. Ben

    Ben Well-Known Member

    Joined:
    Aug 19, 2002
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    No, if that code is placed on a webpage, and that webpage is served to the public (or anyone else for that matter) it's possible to craft a URL that passes system commands to the server.

    I'm using the latest cPanel stable build, and apache build.

    cPanel.net Support Ticket Number:
     
  4. WeMasterz5

    WeMasterz5 Well-Known Member

    Joined:
    Feb 24, 2003
    Messages:
    361
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Miami
    yes what I am asking though, in order to put that on a webpage on the cpanel server you must have access to it... correct

    cPanel.net Support Ticket Number:
     
  5. Ben

    Ben Well-Known Member

    Joined:
    Aug 19, 2002
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    Yes, the posting of that code on a page does, afaik require access to an account on the server.

    cPanel.net Support Ticket Number:
     
  6. WeMasterz5

    WeMasterz5 Well-Known Member

    Joined:
    Feb 24, 2003
    Messages:
    361
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Miami
    :cool:

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page