Limiting directory access
Posted by Stageline
|
Stageline
Limiting directory access August 10, 2010 12:58PM |
Hello
I put directory listing code in to the index.php and this stored php
file /usr/local/www/domain1.hu directory.
<?php
$dir = "../domain2.hu/";
// Open a known directory, and proceed to read its contents
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
while (($file = readdir($dh)) !== false) {
echo "filename: $file : filetype: " . filetype($dir .
$file) . "\n<br>";
}
closedir($dh);
}
}
?>
I see files stored in domain2, this high security risk in my hosting.
Can somebody have any idea, how to disable /../ ?
PHP 5.2.10 (cli) (built: Aug 10 2010 15:10:57) (DEBUG)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
php-5.2.10-fpm-0.5.13 FreeBSD port
I put directory listing code in to the index.php and this stored php
file /usr/local/www/domain1.hu directory.
<?php
$dir = "../domain2.hu/";
// Open a known directory, and proceed to read its contents
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
while (($file = readdir($dh)) !== false) {
echo "filename: $file : filetype: " . filetype($dir .
$file) . "\n<br>";
}
closedir($dh);
}
}
?>
I see files stored in domain2, this high security risk in my hosting.
Can somebody have any idea, how to disable /../ ?
PHP 5.2.10 (cli) (built: Aug 10 2010 15:10:57) (DEBUG)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
php-5.2.10-fpm-0.5.13 FreeBSD port
|
Ammon Lauritzen
Re: Limiting directory access August 10, 2010 04:42PM |
If you absolutely need to protect one domain's data from another, you
will have to chroot their fcgi pools.
The old deprecated "safe mode" probably does something like this, but
you don't want to use it.
If this is something you can trust to code, there are several ways to
do it, but all of them require a bit of overhead. Perhaps the simplest
is calling the chroot() from within scripts that are poking around
like this.
On Tue, Aug 10, 2010 at 11:55 AM, Stageline <stageline@gmail.com> wrote:
> Hello
>
> I put directory listing code in to the index.php and this stored php
> file /usr/local/www/domain1.hu directory.
>
> <?php
> $dir = "../domain2.hu/";
>
> // Open a known directory, and proceed to read its contents
> if (is_dir($dir)) {
> if ($dh = opendir($dir)) {
> while (($file = readdir($dh)) !== false) {
> echo "filename: $file : filetype: " . filetype($dir .
> $file) . "\n<br>";
> }
> closedir($dh);
> }
> }
> ?>
>
> I see files stored in domain2, this high security risk in my hosting.
> Can somebody have any idea, how to disable /../ ?
>
> PHP 5.2.10 (cli) (built: Aug 10 2010 15:10:57) (DEBUG)
> Copyright (c) 1997-2009 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
> php-5.2.10-fpm-0.5.13 FreeBSD port
--
Ammon Lauritzen
will have to chroot their fcgi pools.
The old deprecated "safe mode" probably does something like this, but
you don't want to use it.
If this is something you can trust to code, there are several ways to
do it, but all of them require a bit of overhead. Perhaps the simplest
is calling the chroot() from within scripts that are poking around
like this.
On Tue, Aug 10, 2010 at 11:55 AM, Stageline <stageline@gmail.com> wrote:
> Hello
>
> I put directory listing code in to the index.php and this stored php
> file /usr/local/www/domain1.hu directory.
>
> <?php
> $dir = "../domain2.hu/";
>
> // Open a known directory, and proceed to read its contents
> if (is_dir($dir)) {
> if ($dh = opendir($dir)) {
> while (($file = readdir($dh)) !== false) {
> echo "filename: $file : filetype: " . filetype($dir .
> $file) . "\n<br>";
> }
> closedir($dh);
> }
> }
> ?>
>
> I see files stored in domain2, this high security risk in my hosting.
> Can somebody have any idea, how to disable /../ ?
>
> PHP 5.2.10 (cli) (built: Aug 10 2010 15:10:57) (DEBUG)
> Copyright (c) 1997-2009 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
> php-5.2.10-fpm-0.5.13 FreeBSD port
--
Ammon Lauritzen
|
Illó Gábor
Re: Limiting directory access August 11, 2010 05:06AM |
Hmmm. Ok. And how? It is possible php-fpm?
2010/8/10 Ammon Lauritzen <allaryin@gmail.com>
> If you absolutely need to protect one domain's data from another, you
> will have to chroot their fcgi pools.
>
> The old deprecated "safe mode" probably does something like this, but
> you don't want to use it.
>
> If this is something you can trust to code, there are several ways to
> do it, but all of them require a bit of overhead. Perhaps the simplest
> is calling the chroot() from within scripts that are poking around
> like this.
>
> On Tue, Aug 10, 2010 at 11:55 AM, Stageline <stageline@gmail.com> wrote:
> > Hello
> >
> > I put directory listing code in to the index.php and this stored php
> > file /usr/local/www/domain1.hu directory.
> >
> > <?php
> > $dir = "../domain2.hu/";
> >
> > // Open a known directory, and proceed to read its contents
> > if (is_dir($dir)) {
> > if ($dh = opendir($dir)) {
> > while (($file = readdir($dh)) !== false) {
> > echo "filename: $file : filetype: " . filetype($dir .
> > $file) . "\n<br>";
> > }
> > closedir($dh);
> > }
> > }
> > ?>
> >
> > I see files stored in domain2, this high security risk in my hosting.
> > Can somebody have any idea, how to disable /../ ?
> >
> > PHP 5.2.10 (cli) (built: Aug 10 2010 15:10:57) (DEBUG)
> > Copyright (c) 1997-2009 The PHP Group
> > Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
> > php-5.2.10-fpm-0.5.13 FreeBSD port
>
>
>
> --
> Ammon Lauritzen
>
--
Best Regards
Gábor Illó
2010/8/10 Ammon Lauritzen <allaryin@gmail.com>
> If you absolutely need to protect one domain's data from another, you
> will have to chroot their fcgi pools.
>
> The old deprecated "safe mode" probably does something like this, but
> you don't want to use it.
>
> If this is something you can trust to code, there are several ways to
> do it, but all of them require a bit of overhead. Perhaps the simplest
> is calling the chroot() from within scripts that are poking around
> like this.
>
> On Tue, Aug 10, 2010 at 11:55 AM, Stageline <stageline@gmail.com> wrote:
> > Hello
> >
> > I put directory listing code in to the index.php and this stored php
> > file /usr/local/www/domain1.hu directory.
> >
> > <?php
> > $dir = "../domain2.hu/";
> >
> > // Open a known directory, and proceed to read its contents
> > if (is_dir($dir)) {
> > if ($dh = opendir($dir)) {
> > while (($file = readdir($dh)) !== false) {
> > echo "filename: $file : filetype: " . filetype($dir .
> > $file) . "\n<br>";
> > }
> > closedir($dh);
> > }
> > }
> > ?>
> >
> > I see files stored in domain2, this high security risk in my hosting.
> > Can somebody have any idea, how to disable /../ ?
> >
> > PHP 5.2.10 (cli) (built: Aug 10 2010 15:10:57) (DEBUG)
> > Copyright (c) 1997-2009 The PHP Group
> > Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
> > php-5.2.10-fpm-0.5.13 FreeBSD port
>
>
>
> --
> Ammon Lauritzen
>
--
Best Regards
Gábor Illó
|
Illó Gábor
Re: Limiting directory access August 11, 2010 07:30AM |
here is the solution
php-fpm.conf
<value name="php_defines">
<value name="sendmail_path">/usr/
sbin/sendmail -t -i</value> -->
<value name="open_basedir">./</value>
<value name="display_errors">1</value>
<value name="disable_functions">system, exec, shell_exec,
passthru, virtual, http_connect, ftp_connect, connect, phpinfo, fsockopen,
socket_*, set_time_limit,diskfreespace, disk_free_space, disk_total_space,
ini_set, phpcredits, ini_alter, ini_get_all</value>
</value>
<value name="chroot">/usr/local/www/</value>
nginx.conf
fastcgi_param SCRIPT_FILENAME /$domain$fastcgi_script_name;
index.php
<?php
echo getcwd()."<br>";
$dir = "../stageline.hu/";
if($dh = opendir($dir))
{
while (($file = readdir($dh)) !== false)
{
echo "filename: $file : filetype: " . filetype($dir
.. $file) . "\n<br>";
}
closedir($dh);
}
?>**
2010/8/11 Illó Gábor <stageline@gmail.com>
> Hmmm. Ok. And how? It is possible php-fpm?
>
> 2010/8/10 Ammon Lauritzen <allaryin@gmail.com>
>
> If you absolutely need to protect one domain's data from another, you
>> will have to chroot their fcgi pools.
>>
>> The old deprecated "safe mode" probably does something like this, but
>> you don't want to use it.
>>
>> If this is something you can trust to code, there are several ways to
>> do it, but all of them require a bit of overhead. Perhaps the simplest
>> is calling the chroot() from within scripts that are poking around
>> like this.
>>
>> On Tue, Aug 10, 2010 at 11:55 AM, Stageline <stageline@gmail.com> wrote:
>> > Hello
>> >
>> > I put directory listing code in to the index.php and this stored php
>> > file /usr/local/www/domain1.hu directory.
>> >
>> > <?php
>> > $dir = "../domain2.hu/";
>> >
>> > // Open a known directory, and proceed to read its contents
>> > if (is_dir($dir)) {
>> > if ($dh = opendir($dir)) {
>> > while (($file = readdir($dh)) !== false) {
>> > echo "filename: $file : filetype: " . filetype($dir .
>> > $file) . "\n<br>";
>> > }
>> > closedir($dh);
>> > }
>> > }
>> > ?>
>> >
>> > I see files stored in domain2, this high security risk in my hosting.
>> > Can somebody have any idea, how to disable /../ ?
>> >
>> > PHP 5.2.10 (cli) (built: Aug 10 2010 15:10:57) (DEBUG)
>> > Copyright (c) 1997-2009 The PHP Group
>> > Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
>> > php-5.2.10-fpm-0.5.13 FreeBSD port
>>
>>
>>
>> --
>> Ammon Lauritzen
>>
>
>
>
> --
> Best Regards
> Gábor Illó
>
--
Best Regards
Gábor Illó
php-fpm.conf
<value name="php_defines">
<value name="sendmail_path">/usr/
sbin/sendmail -t -i</value> -->
<value name="open_basedir">./</value>
<value name="display_errors">1</value>
<value name="disable_functions">system, exec, shell_exec,
passthru, virtual, http_connect, ftp_connect, connect, phpinfo, fsockopen,
socket_*, set_time_limit,diskfreespace, disk_free_space, disk_total_space,
ini_set, phpcredits, ini_alter, ini_get_all</value>
</value>
<value name="chroot">/usr/local/www/</value>
nginx.conf
fastcgi_param SCRIPT_FILENAME /$domain$fastcgi_script_name;
index.php
<?php
echo getcwd()."<br>";
$dir = "../stageline.hu/";
if($dh = opendir($dir))
{
while (($file = readdir($dh)) !== false)
{
echo "filename: $file : filetype: " . filetype($dir
.. $file) . "\n<br>";
}
closedir($dh);
}
?>**
2010/8/11 Illó Gábor <stageline@gmail.com>
> Hmmm. Ok. And how? It is possible php-fpm?
>
> 2010/8/10 Ammon Lauritzen <allaryin@gmail.com>
>
> If you absolutely need to protect one domain's data from another, you
>> will have to chroot their fcgi pools.
>>
>> The old deprecated "safe mode" probably does something like this, but
>> you don't want to use it.
>>
>> If this is something you can trust to code, there are several ways to
>> do it, but all of them require a bit of overhead. Perhaps the simplest
>> is calling the chroot() from within scripts that are poking around
>> like this.
>>
>> On Tue, Aug 10, 2010 at 11:55 AM, Stageline <stageline@gmail.com> wrote:
>> > Hello
>> >
>> > I put directory listing code in to the index.php and this stored php
>> > file /usr/local/www/domain1.hu directory.
>> >
>> > <?php
>> > $dir = "../domain2.hu/";
>> >
>> > // Open a known directory, and proceed to read its contents
>> > if (is_dir($dir)) {
>> > if ($dh = opendir($dir)) {
>> > while (($file = readdir($dh)) !== false) {
>> > echo "filename: $file : filetype: " . filetype($dir .
>> > $file) . "\n<br>";
>> > }
>> > closedir($dh);
>> > }
>> > }
>> > ?>
>> >
>> > I see files stored in domain2, this high security risk in my hosting.
>> > Can somebody have any idea, how to disable /../ ?
>> >
>> > PHP 5.2.10 (cli) (built: Aug 10 2010 15:10:57) (DEBUG)
>> > Copyright (c) 1997-2009 The PHP Group
>> > Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
>> > php-5.2.10-fpm-0.5.13 FreeBSD port
>>
>>
>>
>> --
>> Ammon Lauritzen
>>
>
>
>
> --
> Best Regards
> Gábor Illó
>
--
Best Regards
Gábor Illó
Sorry, only registered users may post in this forum.
Online Users
Guests:
113
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|