The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Php security issues

Discussion in 'Security' started by aussie, Jul 3, 2003.

  1. aussie

    aussie Member

    Joined:
    Jan 2, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hi, I've read that its a good idea to implement Open_Basedir and Safe mode on PHP. I have implemented safe mode, but how should php.ini be set so that each user's scripts can only look in his own user area. I noticed in my logs some joker trying to use phpnuke to download /etc/passwd and things like this.

    Also, are there real security advantages to implementing suexec for php? Its likely to be a hassle for user if I do this.

    cPanel.net Support Ticket Number:
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    In cpanel 7 there is an option to enable open_basedir for all accounts. PHP is an option however it may increase your load and certain scripts that would require values set via .htaccess can no longer be used. There are various other pros and cons with phpsuexec, i'd recomend searching this forum and webhostingtalk.com for more details.

    cPanel.net Support Ticket Number:
     
  3. SoftmegUK

    SoftmegUK Well-Known Member

    Joined:
    Feb 13, 2002
    Messages:
    372
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    Think you mean phpsuexec in that bit :)

    cPanel.net Support Ticket Number:
     
  4. mccmikey

    mccmikey Member

    Joined:
    Sep 21, 2002
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    On a similar theme...

    I have a file upload facility. Recently I discovered someone had uploaded a file called help2.php. While it was actually an effective browsing tool for listing files, etc; it also had the ability to view file contents, and could browse out of the user's folder into other folders. This meant they could view php and cgi scripts as text, which seems rather dangerous.

    Note that they cannot look in to other cpanel accounts, only the one they are loaded on, but it is still a risk.

    The file upload facility now bans the upload of php files :)

    cPanel.net Support Ticket Number:
     
  5. SoftmegUK

    SoftmegUK Well-Known Member

    Joined:
    Feb 13, 2002
    Messages:
    372
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    Yeah you've always got to make sure your scripts are safe. Its like say if you have <?php include "$page"; ?> in your script they can then use the $page variable to browse anything they like :)

    cPanel.net Support Ticket Number:
     
  6. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Why this is different if the user uploads via FTP the 'browsing tool'?

    Well, that the php script can mess only with the user's things and all-writable files only. Its very difficult to change all the permissions of the system in order to enforce security correctly, specially in Linux.

    .pd

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page