Yes, this is going to be on a public system hosting hundreds of web sites.
I can't believe there's no way to secure against something like this. There
must be a way. Lot's of ISP's are starting to support PHP. They certainly
all wouldn't be leaving something like this wide open. A good number are
probably hosting on Win32 so I must be missing something.
Thanks for the info.
Erick
"Cjd" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Best thing to do is create a user for the webserver/php and run as this
> user. You can then restrict the access of that user to specific areas.
This
> is OK if you are running a single server/domain model, but if running
> virtual domains or multiplue websites, to secure the other peoples
websites,
> you'll need to have a server per website to stop roaming. I have tested
> inhouse and with a poorly constructed PHP script, I can browse most file
> systems, access other websites on the server and even write files to their
> directories. If you are running a server and using PHP, then you need to
do
> a full security analysis of it before you launch it to the world,
especially
> on Win32. Not too bad if you're only hosting your own files and stuff, but
> can become a nightmare if you have it open to the 'public' to upload their
> php scripts.
>
>
> "Erick Baum" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > We have been unable to secure our Windows 2000/IIS5 server from allowing
> > people to open any file on our server that they want to if they know the
> > path. The safe_mode doesn't really work on Windows. But I was told to
> use
> > the open_basedir option in our php.ini. I added this option and it had
no
> > effect on the ability for people to open files anywhere on the server.
I
> > tried numerous formats for the option, for example open_basedir =
> > c:\inetpub\wwwroot open_basedir = "c:\inetpub\wwwroot" open_basedir
=
> .
> > and on and on, with quotes, without quotes, forward slashes,
backslashes,
> > even without the drive letter more like a unix path and nothing seemed
to
> > work.
> >
> > Has anyone actually got this to work? If so, I would be very interested
> to
> > know what format you used for the option in the php.ini file. Or
however
> > else you managed to get this to work.
> >
> > Thanks,
> > Erick
> >
> >
> >
>
>
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
