----- "Patric Falinder" <patric.falinder@xxxxxx> wrote: > Hi, > > Recently one of my site got hacked and they uploaded lots of crap to > it > that let them browse through the entire server with a php-script that > > let them do all sorts of things. > > I'm not an expert on Apache so thats why I'm asking you for help. > I want to know if/how I can let a certain vhost only to browse the > content of their folder. > > So for example I have this vhost: > > <VirtualHost *:80> > DocumentRoot /var/www/test > ServerName www.test.com > ServerAlias test.com > TransferLog /var/log/apache2/test.log > </VirtualHost> > > Right now they can make a file-browser in PHP and go to > /var/www/othersite, browse /etc and by the looks of it the entire > server.. > > How do I "block" them from browsing the parent directories of there > DocumentRoot? I've written two or so wikis on that topic: http://wiki.apache.org/httpd/SecuringPHP http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation This is how I do it, but there's also other options. I am however of the firm believe that if you start securing your server at this low a level (Unix UIDs and permissions) your chances of winning the battle will look slightly better than when you start introducing fancy stuff in higher layers. > Thanks, > -Patric i -- Igor GaliÄ Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|