HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   security question (http://www.howtoforge.com/forums/showthread.php?t=27466)

kidalabama 4th October 2008 21:51

security question
 
i installed ispconfig and running very good. but i tested security system with c99shell.php security test script. but i can access all directories. for example / and others. but this must be only access this directory /var/www/web1/. what is my problem please help. thank you.


note: i researched may be this problem from open_basedir php.ini. or web1 apache conf

falko 5th October 2008 20:05

Please enable PHP Safe Mode or use suPHP.

kidalabama 5th October 2008 20:43

yes when i enabled safe mod this code added

php_admin_flag safe_mode On
php_admin_value open_basedir /var/www/web1/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir /var/www/web1/phptmp/
php_admin_value session.save_path /var/www/web/phptmp/


but you must add this code when safe mod disabled. because user not jailed in your directory.
php_admin_value open_basedir /var/www/web1/


and joomla not support safe_mod.

i haven't knowledge suphp. i must learn suphp. thank you.

i manually edited /root/ispconfig/scripts/lib/config.lib.php for when php safe mod disabled.and enable open_basedir.

Ben 6th October 2008 09:02

I think he is right.

But I'd guess here's a bit more needed. At one side to either drop open_basedir completely or the much better solution, to have a textfield where an admin may add specific path's for a web, where this web may get access too. E.g. when using pear's php_ajax package, which needs libraries from the general pear store on the server (which is placed differently depending on the used distro).

kidalabama 6th October 2008 13:39

i edited config.lib.php
if($web["web_php_safe_mode"]){
$php .= "\nphp_admin_flag safe_mode On
php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/
php_admin_value session.save_path ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/";
} else {
$php .= "\nphp_admin_flag safe_mode Off
php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."";
}
}
} else {
$php = "\nphp_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."";
}

i added two times php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."

but all domains added php_admin_value open_basedir.
i dont want one domain add this code. how can i do this ?
i want all domains added except only one domain. but my code added all domains.

kidalabama 8th October 2008 12:12

1 Attachment(s)
i am sending a php security control program. i can access all the other hosting and folders please help. and please test it is very bad sacurity risk.
for example i am open a host customer and this customer access all the other hosting it is very dangerous.


All times are GMT +2. The time now is 20:49.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.