The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php open_basedir is not enough ...

Discussion in 'General Discussion' started by Radio_Head, Dec 12, 2002.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Hello

    I am using

    php_admin_value open_basedir &/home/user:/tmp&

    to reduce hacking problems with php .

    However with 10 lines of easy php codes (I prefer don't post them here ) I was able to see for example /etc/passwd in an account which has the open_basedir line ...

    Any idea better of the open_basedir restriction ?


    Thank you
     
  2. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    Have you got PHP safe mode enabled?
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    php safe mode is too restrictive , however if I could activate it in on a single user I could try . May I activate safe mode on a single user (to test my code above) ?
     
  4. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    [quote:acdbd2f56e][i:acdbd2f56e]Originally posted by Radio_Head[/i:acdbd2f56e]

    php safe mode is too restrictive , however if I could activate it in on a single user I could try . May I activate safe mode on a single user (to test my code above) ?[/quote:acdbd2f56e]

    php_admin_value safe_mode 1 in the httpd.conf in the &Virtualhost....

    for the specific domain.

    I remember this,it's time that I haven't used it though.
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    ok I am testing it ..
     
  6. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    ok with safemode the script doesn't work (/etc/passwd is not showed) .

    However php safe mode is too much restrictive ! A lot of scripts will not work .. am I wrong ?
     
  7. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    [quote:f4d9870297][i:f4d9870297]Originally posted by Radio_Head[/i:f4d9870297]

    ok with safemode the script doesn't work (/etc/passwd is not showed) .

    However php safe mode is too much restrictive ! A lot of scripts will not work .. am I wrong ?[/quote:f4d9870297]

    I believe that in general safe mode On will have an effect mainly if the script has file manipulating functions, like upload. Maybe register_globals is your problem if some scripts don't work. If you want to try too, the register_globals ON, OFF game , try this :
    php_value register_globals 0 or 1 for ON .

    Although for more security register_globals should be off.
     
Loading...

Share This Page