> I can't believe there's no way to secure against something like this.
There
> must be a way. Lot's of ISP's are starting to support PHP. They
certainly
> all wouldn't be leaving something like this wide open. A good number are
> probably hosting on Win32 so I must be missing something.
There is, but it involves LOADS of file-system privilege "adjustments." You
are fortunate, in that you're running Win2000 and therefore have better
filesystem-priv management. (NT privs _suck_)
Anyway, the way I'm doing it, I have a single anonymous web user for each
virtual server that I have. Those users are denied various permissions in
certain key areas. You will run into problems, however, because those users
need to be able to Read/eXecute various files so that the web server will
actually RUN. Also if you want to do database connectivity via ADO or
something like that.
While you are locking down your server, you will inevitably "break"
something's ability to do something else.
That's why open_basedir would be so nice, because it would be nice to narrow
down the list of files they can mess with down to JUST c:\inetpub and from
there, managing individual permissions on each of the subdirectories is
_WAY_ easier.
Eric
>
> Thanks for the info.
>
> Erick
>
>
> "Cjd" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Best thing to do is create a user for the webserver/php and run as this
> > user. You can then restrict the access of that user to specific areas.
> This
> > is OK if you are running a single server/domain model, but if running
> > virtual domains or multiplue websites, to secure the other peoples
> websites,
> > you'll need to have a server per website to stop roaming. I have tested
> > inhouse and with a poorly constructed PHP script, I can browse most file
> > systems, access other websites on the server and even write files to
their
> > directories. If you are running a server and using PHP, then you need to
> do
> > a full security analysis of it before you launch it to the world,
> especially
> > on Win32. Not too bad if you're only hosting your own files and stuff,
but
> > can become a nightmare if you have it open to the 'public' to upload
their
> > php scripts.
> >
> >
> > "Erick Baum" <[EMAIL PROTECTED]> wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > We have been unable to secure our Windows 2000/IIS5 server from
allowing
> > > people to open any file on our server that they want to if they know
the
> > > path. The safe_mode doesn't really work on Windows. But I was told
to
> > use
> > > the open_basedir option in our php.ini. I added this option and it
had
> no
> > > effect on the ability for people to open files anywhere on the server.
> I
> > > tried numerous formats for the option, for example open_basedir =
> > > c:\inetpub\wwwroot open_basedir = "c:\inetpub\wwwroot"
open_basedir
> =
> > .
> > > and on and on, with quotes, without quotes, forward slashes,
> backslashes,
> > > even without the drive letter more like a unix path and nothing seemed
> to
> > > work.
> > >
> > > Has anyone actually got this to work? If so, I would be very
interested
> > to
> > > know what format you used for the option in the php.ini file. Or
> however
> > > else you managed to get this to work.
> > >
> > > Thanks,
> > > Erick
> > >
> > >
> > >
> >
> >
>
>
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
