A big security issue in FTP server

Discussion in 'Installation/Configuration' started by freesqrt, Jun 15, 2008.

  1. freesqrt

    freesqrt New Member


    We have installed ISPconfig to manage web, mail, ftp and dns severs.
    But when I create mail/ftp accounts in it, users can upload any type of files (and also php codes) and run them. by this, user can for example get source code of our website or see the content of other folders. (however users can not change other user's folder contents.)
    permission of users folder is 755.

    what we can do with this issue?

  2. Rockdrala

    Rockdrala New Member

    To be honest if i was a customer and i wanted to upload php websites i would be pissed if i wasnt able to.

    Im sure they can upload whatever file they if using direct ftp access but only the admin of the site is entitled to do that.

    If your using a page where the websites users are uploading files, you can modify the upload script to only allow what type of file to be permissable.

    afaik (i could be wrong) but i don't think multiple users have ftp access. i could be wrong. Just the admin of the website does.
  3. daveb

    daveb Member

  4. falko

    falko Super Moderator ISPConfig Developer

    You can use PHP Safe Mode. That way, PHP scripts cannot read the contents of files/directories outside the document root.
  5. freesqrt

    freesqrt New Member

    Dear Falko,

    because of our main web structure, I can not enable PHP safe mode. because in that way I have to give some folders permissions that is more dangerous than now.

    As Daveb advised, I think it is a good idea to chroot user's folders. but if I do this, can users access to their database if needed?
    Last edited: Jun 17, 2008
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Chrooting works just for ssh, it has no affect on php scripts and will not help you in this regard. The only way to separate php scripts is to use safemode or suphp.
  7. Ben

    Ben ISPConfig Developer ISPConfig Developer

    But for this you have open_basedir, to restrict to not access files outside there defined paths.
  8. freesqrt

    freesqrt New Member

    Dear friends,

    All of these solutions are great but are unsuitable for me because:

    1- suphp limits php execution by code owner however all of users's directory owned by apache.

    2- open_basedir limits based on directory. for example you can limit php execution to /home/web1/web address. But I want each user can execute its code into its directory only.

    By the way, what is your idea about Suhosin?
    I have not any idea on it.

    with regards,
  9. falko

    falko Super Moderator ISPConfig Developer

    It's no solution for your problem.

Share This Page