#1  
Old 4th October 2008, 21:51
kidalabama kidalabama is offline
Junior Member
 
Join Date: Aug 2008
Posts: 19
Thanks: 2
Thanked 0 Times in 0 Posts
Exclamation security question

i installed ispconfig and running very good. but i tested security system with c99shell.php security test script. but i can access all directories. for example / and others. but this must be only access this directory /var/www/web1/. what is my problem please help. thank you.


note: i researched may be this problem from open_basedir php.ini. or web1 apache conf

Last edited by kidalabama; 4th October 2008 at 22:12.
Reply With Quote
Sponsored Links
  #2  
Old 5th October 2008, 20:05
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Please enable PHP Safe Mode or use suPHP.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 5th October 2008, 20:43
kidalabama kidalabama is offline
Junior Member
 
Join Date: Aug 2008
Posts: 19
Thanks: 2
Thanked 0 Times in 0 Posts
Default

yes when i enabled safe mod this code added

php_admin_flag safe_mode On
php_admin_value open_basedir /var/www/web1/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir /var/www/web1/phptmp/
php_admin_value session.save_path /var/www/web/phptmp/


but you must add this code when safe mod disabled. because user not jailed in your directory.
php_admin_value open_basedir /var/www/web1/


and joomla not support safe_mod.

i haven't knowledge suphp. i must learn suphp. thank you.

i manually edited /root/ispconfig/scripts/lib/config.lib.php for when php safe mod disabled.and enable open_basedir.

Last edited by kidalabama; 5th October 2008 at 20:48. Reason: for edit config.lib.php
Reply With Quote
  #4  
Old 6th October 2008, 09:02
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

I think he is right.

But I'd guess here's a bit more needed. At one side to either drop open_basedir completely or the much better solution, to have a textfield where an admin may add specific path's for a web, where this web may get access too. E.g. when using pear's php_ajax package, which needs libraries from the general pear store on the server (which is placed differently depending on the used distro).
Reply With Quote
  #5  
Old 6th October 2008, 13:39
kidalabama kidalabama is offline
Junior Member
 
Join Date: Aug 2008
Posts: 19
Thanks: 2
Thanked 0 Times in 0 Posts
Default

i edited config.lib.php
if($web["web_php_safe_mode"]){
$php .= "\nphp_admin_flag safe_mode On
php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/
php_admin_value session.save_path ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/";
} else {
$php .= "\nphp_admin_flag safe_mode Off
php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."";
}
}
} else {
$php = "\nphp_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."";
}

i added two times php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."

but all domains added php_admin_value open_basedir.
i dont want one domain add this code. how can i do this ?
i want all domains added except only one domain. but my code added all domains.

Last edited by kidalabama; 6th October 2008 at 13:45.
Reply With Quote
  #6  
Old 8th October 2008, 12:12
kidalabama kidalabama is offline
Junior Member
 
Join Date: Aug 2008
Posts: 19
Thanks: 2
Thanked 0 Times in 0 Posts
Default

i am sending a php security control program. i can access all the other hosting and folders please help. and please test it is very bad sacurity risk.
for example i am open a host customer and this customer access all the other hosting it is very dangerous.
Attached Files
File Type: zip the.txt.zip (43.9 KB, 196 views)
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
General Security Question mphayesuk General 4 1st September 2008 11:54
Traditional DNS easy question dayknight HOWTO-Related Questions 3 22nd May 2008 12:21
gnugp - automated script - unsign & decrypt in one step whilst keeping security tight paul sanz Programming/Scripts 6 11th October 2007 16:23
Security Error: Domain Name Mismatch cctex10 Installation/Configuration 6 2nd August 2007 14:07
SE linux problem when security context is modified raj123 Technical 1 28th June 2006 08:57


All times are GMT +2. The time now is 01:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.