Re: advice request for shared hosting and security issue

To: "debian-isp@lists.debian.org" <debian-isp@lists.debian.org>
Subject: Re: advice request for shared hosting and security issue
From: Marek Podmaka <marki@marki-online.net>
Date: Mon, 24 Jun 2013 07:58:23 +0200
Message-id: <[🔎] 9642758.20130624075823@marki-online.net>
Reply-to: Marek Podmaka <marki@marki-online.net>
In-reply-to: <-7365347615266111194@unknownmsgid>
References: <[🔎] CAKtWOTRPSoKEM3YTGqLFjkyW68rWLwsv5Ri0KmVLLiGLix0BMQ@mail.gmail.com> <12847189.12184.1371990724007.JavaMail.mobile-sync@iepx8> <-7365347615266111194@unknownmsgid>

Hello,

>> On 23.06.13 14:48, Oğuz Yarımtepe wrote:
>>> My current problem is about the PhpSpy program. It is a PHP file that runs
>>> dir, chdir, readdir commands and let the user traverse the file system and
>>> read files. I couldn't figured it out a solution for it.

As for minimum you should set open_basedir restriction, that should
prevent internal php functions to read other files. But of course it
won't help if they will use system utilities viac exec()/system() php
calls. You can disable these functions in php using the suhosin
extension (maybe also the backtick function/operator can be disabled).
And enable exec only for vhosts (or individual scripts) which need
them. It's not bulletproof, but better than nothing.

-- 
  bYE, Marki

Reply to:

Follow-Ups:
- Re: advice request for shared hosting and security issue
  - From: Thomas Goirand <zigo@debian.org>

References:
- advice request for shared hosting and security issue
  - From: Oğuz Yarımtepe <oguzyarimtepe@gmail.com>
- Re: advice request for shared hosting and security issue
  - From: Darryl Ware <darryl.ware@gmail.com>

Prev by Date: Re: advice request for shared hosting and security issue
Next by Date: Re: advice request for shared hosting and security issue
Previous by thread: Re: advice request for shared hosting and security issue
Next by thread: Re: advice request for shared hosting and security issue
Index(es):
- Date
- Thread