Limit PHP execution in folders

Discussion in 'Installation/Configuration' started by davood00, Aug 24, 2008.

  1. davood00

    davood00 New Member

    Hello to all,
    I'm new in this forum and this is my first post.

    I have a question.
    I have a site which it's domain is, and there are some users that have mail and ftp access on this site. With FTP, they can upload files near website's PHP files, so they can run PHP scripts. For some reasons, I cannot turn Safe_Mode on (and I hate it too!), and because all users and main website pages are in a same VHost, I think suPHP or suExec can not secure website pages from malicious users. So, I decided to limit execution of PHP scripts in the main website folder by doing something like this in httpd.conf:
    <Directory /home/web/web1/web>
    [INDENT]AddType application/x-httpd-php .php .php3 .php4 .php5[/INDENT]
    And I've removed the AddType line in the main section of VHost directive. Looks like I've succeeded to prevent users running PHP scripts, But I'm not sure whether this way is right or not, and I don't know if any security issues remain.
    Can anyone help me and tell me the right way and other security issues which may be persist?
    Excuse me for my long story!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please enable chrooting in proftpd conf as described in the perfect setup guides, then none of your other FTP users except of the admin user is able to upload any files to the web directory,

Share This Page