HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)

- - Potential Security Vulnerability? (http://www.howtoforge.com/forums/showthread.php?t=51726)

Potential Security Vulnerability?

How are people able to reach this directory?
[Wed Mar 02 12:59:09 2011] [error] [client 217.22.231.30] File does not exist: /usr/share/phpmyadmin/scripts

This is from a vhost's error log, it shows up fairly frequently. This directory is way outside of the vhost's path (/var/www/clients/client1/web1/web). I can't even figure out how I could point a web browser to that directory.

Running ISPConfig 3.0.3.2 using the Ubuntu 10.04 Perfect Server setup

It's not a security hole

just look at your php-cgi wrapper the open-base-dir:

Quote:

"/var/www/clients/client1/web1/web:/var/www/clients/client1/web1/tmp:/var/www/clients/client1/web1/backup:/var/www/friendlyphotozone.com/web:/srv/www/friendlyphotozone.com/web:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin"

(took from your other topic)

Without allowing to acces /usr/share/phpmyadmin, www.friendlyphotozone.com/phpmyadmin/ will not work correctly.

If you ask why www.friendlyphotozone.com/phpmyadmin/ work by default, just look at the file :

Code:

/etc/apache2/conf.d/phpmyadmin.conf

If you want to change the alias

Code:

Alias /phpmyadmin /usr/share/phpmyadmin

Code:

Alias /what-ever-you-want /usr/share/phpmyadmin

and do

Code:

/etc/init.d/apache2 reload

of course to do that you must be root or have root privilege.

Quote:

Originally Posted by Dark_Balor (Post 252556)

It's not a security hole

Thank you! I didn't realize that each vhost had a separate phpmyadmin alias. That explains a lot.