Re: How do I keep Virtural hosts from seeing the others document root?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

An apology...

> On 10.03.11 03:59, aaronrus@xxxxxxxxxxx wrote:
> > While the setup Jim decribes is similar to what I have setup, The issue
> > still remains when a user uploads a PHPSHELL to there docment root and
> > access the server through the uploaded shell they are no longer operating
> > under the FTP user account. They are operating under the www-data account
> > which is the account apachie operates in. By doing so when using the
> > uploaded PHPSHELL you bypass the FTP and jail restrictions
> 
> What jail restrictions? of course when running PHP under under apache, the
> restrictions from FTP do not apply. Therefore you must configure PHP so
> other restrictions apply.
> 
> > that prevent
> > you from seeing other peoples document root and have access to all
> > document roots on the system. Here is a PHPSHELL
> > http://phpshell.sourceforge.net/ upload and configure it. give it a try it
> > runs under the www-data account just like all other pages do.
> > 
> > This issue would allow your PHP files to be viewed. This can be an issue
> > due to needing to have passwords in PHP scripts to access SOL databases
> > etc..
> > 
> > This issue could be resolved by making each virtualhost run under a different account and jailing each account in a different jail. 

On 06.04.11 11:39, Matus UHLAR - fantomas wrote:
> read my former mail, I think I have described everything you mention.

sorry for my ignorance. I forgot I'm in lag (illnes etc) and haven't seen
your post before (seems due to broken threading).

-- 
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux