HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Aditional php.ini (http://www.howtoforge.com/forums/showthread.php?t=49580)

ivomendonca 21st October 2010 17:59

Aditional php.ini
 
:mad:Hi, i think i found a bug or a miss beavior.

Why the change to php.ini as to be inside cp ?
And not like other panels that just place multiple php.ini, inside user dir.

And if is possible to parce multiple php.ini extension dir.
Now is working but if i load a dl('something.so') the other extensions fail (mysqli for example) to load (because they are in default php extension folder ).

The php.ini inside user folder is very easy to implement, the extension i dont know but is a strange beavior, the second php.ini shoud run when the fist php.ini are allready loaded (if can be done).

The other part is php ini_set('something',1) is not working too.Last ispconfig version and fast-gci.

Thanks.

till 21st October 2010 18:33

Not sure what you did, the function works perfectly on my server.

Quote:

The php.ini inside user folder is very easy to implement, the extension i dont know but is a strange beavior, the second php.ini shoud run when the fist php.ini are allready loaded (if can be done).
The php.ini inside the user folder is very easy to be exploited and can be easily used to take over your server.

ISPConfig uses a optional php.ini file for every website which is in a separate and safe folder. You can set the any kind of php.ini variables directly in the php.ini field on the options tab of the website.

Quote:

The other part is php ini_set('something',1) is not working too.Last ispconfig version and fast-gci.
If this is allowed or not depends if you allow the ini_set in your php.ini or not.

ivomendonca 21st October 2010 22:08

Quote:

Originally Posted by till (Post 242461)
Not sure what you did, the function works perfectly on my server.



The php.ini inside the user folder is very easy to be exploited and can be easily used to take over your server.
Ok

ISPConfig uses a optional php.ini file for every website which is in a separate and safe folder. You can set the any kind of php.ini variables directly in the php.ini field on the options tab of the website.
ok


If this is allowed or not depends if you allow the ini_set in your php.ini or not.

IN SITES->PHP.ini try load a php extension that is on your site folder (the simple hello php extension).
This will change the default extension folder and all other php extensions will not load.

I want to load normal default server extensions;
...\php5\default_dir\mysqli.so -> Normal Beavior

And some adicional extensions to load at runtime:

like : \clients\....\web\ioncube.so

Now i(a site owner) can only load, mysqli.so OR ioncube.so

Do you know any workout for that ? Did i make my question clear ?

Ok, Thanks.

till 21st October 2010 23:09

From the security standpoint you should not allow your site owners to load any binary extensions that you have not approved and uploaded to the global extension directory. If you want to offer your customers ioncube and zend decoders, then you should put them into the global extension directory.

Regarding the dl() function, as far as I know you have to specify the complete path to the extension if it is not in the global extension directory. E.g. if you allow dl() function calls for your customers and the extension is in website root directory of web3, then try something like dl('/var/www/clients/client1/web3/abcd.so')

You should see the php documentation for details, it is described there where dl searches for extensions:

http://de3.php.net/manual/en/function.dl.php


All times are GMT +2. The time now is 17:52.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.