[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] securing php
- To: "Justin Shin" <zorkshin@tampabay.rr.com>, full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] securing php
- From: Evan Nemerson <evan@coeus-group.com>
- Date: Tue, 19 Aug 2003 19:55:02 -0700
Take a look at the safe_mode and open_basedir configuration options for your
php.ini.
http://www.php.net/features.safe-mode
Also, it may be worth it to look at using Apache with cygwin... Big performace
hit, though.
http://httpd.apache.org/docs/cygwin.html
-Evan
On Tuesday 19 August 2003 02:51 pm, Justin Shin wrote:
> Hi all --
>
> I have a friend that owns a web hosting company and recently he asked me to
> check up on his security ... I found that PHP scripts could access, modify,
> etc. anything on the drive. Of course, this is because PHP was invoked by
> apache, which is being run as a root user (Administrator, he runs apache on
> win2k3 for some odd reason) but I do not know the remedy. How could he set
> up his apache/PHP so that only the users of his web hosting service could
> "do stuff" to their own web directories. I know I am not explaining this
> well, but I think you get the picture :) I also know there is a simple
> solution to this, I googled it though and I couldn't find it.
>
> -- Justin
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html