Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: securing php

From: Evan Nemerson <evan () coeus-group com>
Date: Tue, 19 Aug 2003 19:55:02 -0700
Take a look at the safe_mode and open_basedir configuration options for your 
php.ini.

http://www.php.net/features.safe-mode

Also, it may be worth it to look at using Apache with cygwin... Big performace 
hit, though.

http://httpd.apache.org/docs/cygwin.html

-Evan



On Tuesday 19 August 2003 02:51 pm, Justin Shin wrote:

Hi all --

I have a friend that owns a web hosting company and recently he asked me to
check up on his security ... I found that PHP scripts could access, modify,
etc. anything on the drive. Of course, this is because PHP was invoked by
apache, which is being run as a root user (Administrator, he runs apache on
win2k3 for some odd reason) but I do not know the remedy. How could he set
up his apache/PHP so that only the users of his web hosting service could
"do stuff" to their own web directories. I know I am not explaining this
well, but I think you get the picture :) I also know there is a simple
solution to this, I googled it though and I couldn't find it.

-- Justin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: