If you run php in safe mode and set your PHP open_basedir to the DocumentRoot for the domain, then they cannot open any files outside of that directory. In php.ini: safe_mode = on Then in your <VirtualHost>: php_admin_flag engine on php_admin_value open_basedir "/var/www/vhosts/domain.com/htdocs:/tmp"
I usually have the current directory "." in there, too. Please note the difference between flags/values and admin_flag/values. | "Admin" configuration settings can only be set from | within the main Apache configuration files, and not | from .htaccess files. http://www.php.net/manual/en/configuration.php Cheers, Marcel -- To UNSUBSCRIBE, email to debian-security-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org