Hi,

We have installed ISPconfig to manage web, mail, ftp and dns severs.
But when I create mail/ftp accounts in it, users can upload any type of files (and also php codes) and run them. by this, user can for example get source code of our website or see the content of other folders. (however users can not change other user's folder contents.)
permission of users folder is 755.

what we can do with this issue?

regards,

To be honest if i was a customer and i wanted to upload php websites i would be pissed if i wasnt able to.

Im sure they can upload whatever file they if using direct ftp access but only the admin of the site is entitled to do that.

If your using a page where the websites users are uploading files, you can modify the upload script to only allow what type of file to be permissable.

afaik (i could be wrong) but i don't think multiple users have ftp access. i could be wrong. Just the admin of the website does.

You could chroot your users so that they cannot get outside their home dir. Dont know your Dist. but you could try something like this http://www.howtoforge.com/chroot_ssh_sftp_debian_etch

You can use PHP Safe Mode. That way, PHP scripts cannot read the contents of files/directories outside the document root.

Dear Falko,

because of our main web structure, I can not enable PHP safe mode. because in that way I have to give some folders permissions that is more dangerous than now.

EDIT:
As Daveb advised, I think it is a good idea to chroot user's folders. but if I do this, can users access to their database if needed?

Chrooting works just for ssh, it has no affect on php scripts and will not help you in this regard. The only way to separate php scripts is to use safemode or suphp.

Dear Falko,

because of our main web structure, I can not enable PHP safe mode. because in that way I have to give some folders permissions that is more dangerous than now.

EDIT:
As Daveb advised, I think it is a good idea to chroot user's folders. but if I do this, can users access to their database if needed?

But for this you have open_basedir, to restrict to not access files outside there defined paths.

Dear friends,

All of these solutions are great but are unsuitable for me because:

1- suphp limits php execution by code owner however all of users's directory owned by apache.

2- open_basedir limits based on directory. for example you can limit php execution to /home/web1/web address. But I want each user can execute its code into its directory only.

By the way, what is your idea about Suhosin?
I have not any idea on it.

with regards,

Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.It's no solution for your problem.