here is the solution
php-fpm.conf
<value name="php_defines">
<value name="sendmail_path">/usr/
sbin/sendmail -t -i</value> -->
<value name="open_basedir">./</value>
<value name="display_errors">1</value>
<value name="disable_functions">system, exec, shell_exec,
passthru, virtual, http_connect, ftp_connect, connect, phpinfo, fsockopen,
socket_*, set_time_limit,diskfreespace, disk_free_space, disk_total_space,
ini_set, phpcredits, ini_alter, ini_get_all</value>
</value>
<value name="chroot">/usr/local/www/</value>
nginx.conf
fastcgi_param SCRIPT_FILENAME /$domain$fastcgi_script_name;
index.php
<?php
echo getcwd()."<br>";
$dir = "../stageline.hu/";
if($dh = opendir($dir))
{
while (($file = readdir($dh)) !== false)
{
echo "filename: $file : filetype: " . filetype($dir
.. $file) . "\n<br>";
}
closedir($dh);
}
?>**
2010/8/11 Illó Gábor <stageline@gmail.com>
> Hmmm. Ok. And how? It is possible php-fpm?
>
> 2010/8/10 Ammon Lauritzen <allaryin@gmail.com>
>
> If you absolutely need to protect one domain's data from another, you
>> will have to chroot their fcgi pools.
>>
>> The old deprecated "safe mode" probably does something like this, but
>> you don't want to use it.
>>
>> If this is something you can trust to code, there are several ways to
>> do it, but all of them require a bit of overhead. Perhaps the simplest
>> is calling the chroot() from within scripts that are poking around
>> like this.
>>
>> On Tue, Aug 10, 2010 at 11:55 AM, Stageline <stageline@gmail.com> wrote:
>> > Hello
>> >
>> > I put directory listing code in to the index.php and this stored php
>> > file /usr/local/www/domain1.hu directory.
>> >
>> > <?php
>> > $dir = "../domain2.hu/";
>> >
>> > // Open a known directory, and proceed to read its contents
>> > if (is_dir($dir)) {
>> > if ($dh = opendir($dir)) {
>> > while (($file = readdir($dh)) !== false) {
>> > echo "filename: $file : filetype: " . filetype($dir .
>> > $file) . "\n<br>";
>> > }
>> > closedir($dh);
>> > }
>> > }
>> > ?>
>> >
>> > I see files stored in domain2, this high security risk in my hosting.
>> > Can somebody have any idea, how to disable /../ ?
>> >
>> > PHP 5.2.10 (cli) (built: Aug 10 2010 15:10:57) (DEBUG)
>> > Copyright (c) 1997-2009 The PHP Group
>> > Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
>> > php-5.2.10-fpm-0.5.13 FreeBSD port
>>
>>
>>
>> --
>> Ammon Lauritzen
>>
>
>
>
> --
> Best Regards
> Gábor Illó
>
--
Best Regards
Gábor Illó