--- Pablo Gosse <[EMAIL PROTECTED]> wrote: > Hi folks. I recently set up hosting for my site and have noticed > something which is making me nervous. > > I can't seem to include files outside of my webroot, so I wrote > a script to test permissions using passthru to output the results > of a bunch of ls -la commands to see what I did and did not have > access to. Eventually I was able to read the directory which > holds the root folders for all sites on the server, and from > there I was able to read files (revealing the php source) from > the webroot of another site. > > This to me is a huge security issue since if anyone has any > sensitive information there, it could easily be accessed by > anyone else hosting on the same server. And because I can't seem > to include files from outside my webroot, if I stay with this > company I'll be forced to include information such as database > passwords inside my webroot, therefore exposing the information > to every other user on the server, and that's just not acceptable.
I just published a free article on my Web site about shared hosting: http://shiflett.org/articles/security-corner-mar2004 In short, what you've found is typical for most shared hosts, and safe_mode (a directive created to help mitigate this problem a bit) does little to help. However, there are some things you can do as a developer, and I give some specific examples. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
