Many Virtual Hosts security problem with PHP

To: <debian-security@lists.debian.org>
Subject: Many Virtual Hosts security problem with PHP
From: "Gustavo Felisberto" <humpback@felisberto.net>
Date: Sun, 21 Apr 2002 01:01:06 +0100
Message-id: <[🔎] 00ea01c1e8c7$a3910250$2300a8c0@blumen>
References: <[🔎] E823FA92099E6C4C854CE791DFA1A3D2957603@got02.vikingtelecom.com> <[🔎] 20020420115320.GA616@yosamite.tekno.house>

I have a machine with many virtual hosts. Some of the virtual hosts are
maintained by clients (we serve as web hosting company) and some are
internal.
The external accounts are loked out of the main fylesystem using proftpd
chroot feature and by having /dev/null as the shell.
My problem is that even that way users of the external group can use php's
fopen() to open other files. And in a php/mysql enviroment is not hard to
find files with database login/password. If i had lots of IP's i could run
several copies of apache each one on it's ip and one for each external
client, i would run it with the clients group and that way i could lock each
one out of the others account. The problem is that i dont have lots of ip's,
any ideas on how to solve this?

Gustavo Felisberto


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Many Virtual Hosts security problem with PHP
  - From: hpknight <hpknight@ao.net>

References:
- RE: what is means ? + rootkits..
  - From: "Jan Johansson" <jan.johansson@viking-telecom.com>
- Re: what is means ? + rootkits..
  - From: "Sam Couter" <scouter@bigpond.net.au>

Prev by Date: Re: what is means ? + rootkits..
Next by Date: Re: Many Virtual Hosts security problem with PHP
Previous by thread: Re: what is means ? + rootkits..
Next by thread: Re: Many Virtual Hosts security problem with PHP
Index(es):
- Date
- Thread