View Single Post
  #8  
Old 6th June 2012, 09:53
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
Default

This website must have been created with security level medium and not the level high as the permissions of the "web" folder are 755 and not 710 or you dont use the current ispconfig version. Please create a new website after you set the securoty level to high and after you updated ispconfig to 3.0.4.5, the permissions of the new "web" directory should be 710 then and you can not access it anymore from another site.

Quote:
I can only read the code, but not edited.
Thats because the default files are world readable as they dont contain any security related code. If you chnage the file permissions to 700 or 750 for a file (you can do this for all new files by changing the default umask of the ftp daemon), then other sites cant read any code inside the files while apache can still execute them.

Beside the Linux permission side layer of security you should check which other exec function is used by the shell that you used to test your server and add this function to the disabled_functions list as well. You can also turn on the php safemode in the custom php.ini field, but safemode is deprecated according to the php developers but it might give you some additional security to turn it on.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote