advice request for shared hosting and security issue

[Oğuz Yarımtepe <oguzyarimtepe@gmail.com>]

Hi,

I have a Debian Squeeze web server running PHP-FPM, fastcgi with apache2. I used dotdeb sources to install php-fpm and fastcgi. There are many vhosts defined on them, each has their own pool configuration and working without problems.

My current problem is about the PhpSpy program. It is a PHP file that runs dir, chdir, readdir commands and let the user traverse the file system and read files. I couldn't figured it out a solution for it.

I used chroot option at the pool configuration which didn't worked. It seems there is a but with Apache2 and Fastcgi usage. I enabled suexec also which didn't helped.

I can try to disable opendir, chdir commands globally then some php files under vhost directories will be broken.

What is the solution? Should i set chroot? If so how? Any working combination will be great for Debian Squeeze.

I will be appreciated if there is an easier solution also.

Below include the detail conf files and my question i asked to stackoverflow:
http://stackoverflow.com/questions/17251170/php-fpm-is-not-working-as-expected

Will be great if someone help.

Cheers.

--
Oğuz Yarımtepe
http://about.me/oguzy