PHP File Browsers

Discussion in 'ISPConfig 3 Priority Support' started by jon, Oct 28, 2013.

  1. jon

    jon Member HowtoForge Supporter

    I located a php file browser on a customers web site. This browser allowed anyone to browse through the entire file system of the hosting server.

    Standard permissions applied, and it would seem nothing bad has happened.

    My concern is that if a user has something like this, or their site allowed someone to upload something like this, it could put the whole server at risk.

    I understand there is a chroot for SSH, would it be a good idea here? If so, can I implement it on an active server?
     
  2. ressel

    ressel Member

    Have you enabled suexec on websites?
     
  3. jon

    jon Member HowtoForge Supporter

    I don't believe so, can you remind me where to double check?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Ensure that you hardened your php install by disabling functions like exec, passthru etc. are disabled in the php.ini used for cgi/fcgi and php fpm.
    2) Ensure that suexec is enabled in the website settings.
    3) Ensure that you use php mode php-fcgi or php-fpm.
     
  5. jon

    jon Member HowtoForge Supporter

    1) Seems to be OK
    2 and 3) Is there a global way to check this, or is it per client?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    2+3) This is set in the website settings. The php mode can also be limited in the client settings.
     

Share This Page