The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to disallow php.ini overriding?

Discussion in 'General Discussion' started by Top Line, Jun 16, 2007.

  1. Top Line

    Top Line Member

    Joined:
    Jan 16, 2004
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hello

    some accounts was hacked yesterday on our server and by tracking the hacking method we found the attackers was bybassing the user priviliges by this function smylink (it was disabled in /usr/local/lib/php.ini before)
    + and bybassing safe_mode and disabled functions by uploading php.ini with dafault settings on the user account..

    How can we disallowing overriding php.ini?

    any help will be appreciatted.

    Our System
    Cent 4.5
    Cpanel
    Cgi Module (phpsuexec enabled)


    Thank you
     
  2. psychodreams

    psychodreams Well-Known Member

    Joined:
    Apr 14, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    :)

    This shouldnt happen are you using suexec and apche compile with phpsuexec. Ive had mine set up like that for years and sites that get hacked were not able to spread across the server
     
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    There is some truth to what psychodreams is saying. If you are running PHP as CGI, then PHP scripts aren't executed by a shared username throughout the server, so there's not a lot of damage that can be done to the server, just to that specific account.

    That being said, the only way I know to to disallow custom php.ini and run PHP as CGI is to use a patched suPHP system. I wrote a guide some time ago for doing a custom suPHP install on a cPanel server:

    http://www.spareknet.org/howtos/suphp.php

    I believe cPanel has since begun including suPHP into their new easyapache3 system, although I think it is only for Apache2. The guide I wrote only applies to Apache 1.3 and to suPHP 0.6.1. Personally, if you are just getting started with this, I might recommend waiting and seeing what the cPanel suPHP does and how it approaches this situation.
     
  4. nitro777

    nitro777 Registered

    Joined:
    Apr 6, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hello ,

    You just create an empty file : .htaccess

    Code:
    suPHP_ConfigPath /usr/local/lib/php.ini
    Those config mean the default php config is located in the correct path

    and make sure to do attrib for no change to the .htaccess for the root only could be make attrib for allow you to edit that file : .htaccess


    and put the .htaccess in the /home/ directory so here each account by apache module cannot create and use another php.ini file in his account dir

    thank you :)
     
Loading...

Share This Page