PHP Security

Discussion in 'General' started by alexillsley, Dec 30, 2006.

  1. alexillsley

    alexillsley ISPConfig Developer

    Hi,
    If you have a user with site that has php access and they upload a php file manager onto it, they can see your whole hard drive:eek: Is there anyway to restrict a users php scripts from seeing above of there sites folder:confused:
    thanks,
    Alex
     
  2. till

    till Super Moderator

    Yes, enable the PHP safemode checkbox for this site.
     
  3. alexillsley

    alexillsley ISPConfig Developer

    YAY:) THANKS that script just gives a load of errors now:)
     
  4. Craig

    Craig New Member

    safemode PHP is a very powerful tool for the ISP! :)

    You should definitely turn it on for every site that is not actually yours, i.e. all your client sites that you do not control directly.

    It is similar to creating separate "sand boxes" on the MySQL server for the different clients. It makes it so that they can't see or touch each other.
     
  5. alexillsley

    alexillsley ISPConfig Developer

    Safe Mode appears to be a little to safe, on safe mode phpbb forums will not work:(

    any ideas how can i let phpbb work:confused:
    Thanks,
    Alex
     
    Last edited: Dec 31, 2006
  6. Craig

    Craig New Member

    What errors are you getting in phpBB? Can you copy and paste them here? Although I don't use phpBB, I use punBB, I haven't had any problems in safemode so maybe I can help you by comparing configurations or something.

    In any event, it should work although it may take a little tweaking.
     
  7. alexillsley

    alexillsley ISPConfig Developer

    I just edited the post as you said that ...
     
  8. Craig

    Craig New Member

    I almost heard you typing! ;)

    I'm not exactly sure what is going wrong for you but since safemode will prevent scripts from accessing files above their location, I think, my guess is that some of the the files on the include list are outside of your client site's directories and so off limits.

    One thing that suggests that is this error specifically,
    Code:
    include_path='.:/usr/share/php5:/usr/share/php5/PEAR'
    If I were to guess that that is outside of your client directory, would I be correct because I think that is where you problem with safemode might be.

    I guess it would help to know your directory structure, where the client scripts are, what scripts and where, if any, those scripts are trying to access etc.

    One way or another, you defnitely need to get safemode working because it is the only way to prevent a given clien't scripts from doing possible damage outside of their client area.

    [EDIT] There is this info at phpbb's site that is basically says that safemode should work although it does have a little additional info. May be useful to take a look. http://www.phpbb.com/support/documents.php?mode=install#safemode
     
    Last edited: Dec 31, 2006
  9. alexillsley

    alexillsley ISPConfig Developer

    Thanks :) the forum is currently stored under /srv/www/web5/web/forum/index.php but it doesnt really matter as i am the client and i own the server so i can trust myself:) but i was think if i let other people use it, they are very likley to want have a forum on it..
     
  10. Craig

    Craig New Member

    Exactly. So, you have two choices, get safe mode working, which phpbb says it should work, or have to trust anyone you give PHP access to with your entire server.

    [EDIT : Ok, so /srv/www/web5/web/forum/index.php is trying to set /usr/share/php5:/usr/share/php5/PEAR as it's path, which is definitely outside of the "client's" access area so the next question is what is in /usr/share/php5 and/or /usr/share/php5/PEAR that phpbb needs.

    There should be some reference to it in /srv/www/web5/web/forum/index.php so there should be som way to figure out what it needs from there and maybe do something about that. Maybe.
     
    Last edited: Dec 31, 2006
  11. alexillsley

    alexillsley ISPConfig Developer

    any ideas how to fix it? i can give you FTP access?
    Thanks,
    Alex
     
  12. Craig

    Craig New Member

    I do have some ideas but I can't really spare the time. :(

    What I can do however is help walk you through trouble shooting and fixing the problem yourself although at this point, it is no longer really a ISPConfig problem but instead, a phpbb/safemode problem.

    And, since you already have this thread going here, I could help you trouble-shoot the problem in this thread although to be honest, I think you might be able to get more experienced help by going to the phpbb forums.

    That's not to say I am not willing to help you but instead, they could probably help you better than I.

    But, it's your choice, me try to help or you see what you can find at the phpbb forums.
     
  13. alexillsley

    alexillsley ISPConfig Developer

    well, if you got some ideas then tell me:) otherwise ill head over to the phpbb forums,
    Thanks for your help!
     
  14. Craig

    Craig New Member

    I have some ideas but I think you should head over there anyway.

    But, my idea is that you could look in index.php and try to find out what it uses from the /php5/ and /php5/PEAR directories. It is possible that there is actually nothing used and you could safely get rid of the "include" and it still work.

    On the other hand, it may actually need something from there but give you a different error, i.e. something that should be defined, a function or a variable, actually not being defined in which case it is likely a function or variable defined in some file in either /php5/ or /php/PEAR.

    But, by at least getting past the "include/safemode" error you might then move on to a new error that might then tell you what in those included directories are needed.

    Make sense?

    If I am not making sense, it is because it is just after midnight here and I've had some Champaine to drink so I could blame it on that. ;)

    Happy New Year, by the way. :)
     
    Last edited: Dec 31, 2006

Share This Page