httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject Re: [users@httpd] How do I keep Virtural hosts from seeing the others document root?
Date Wed, 06 Apr 2011 09:39:42 GMT
On 10.03.11 03:59, aaronrus@comcast.net wrote:
> While the setup Jim decribes is similar to what I have setup, The issue
> still remains when a user uploads a PHPSHELL to there docment root and
> access the server through the uploaded shell they are no longer operating
> under the FTP user account. They are operating under the www-data account
> which is the account apachie operates in. By doing so when using the
> uploaded PHPSHELL you bypass the FTP and jail restrictions

What jail restrictions? of course when running PHP under under apache, the
restrictions from FTP do not apply. Therefore you must configure PHP so
other restrictions apply.

> that prevent
> you from seeing other peoples document root and have access to all
> document roots on the system. Here is a PHPSHELL
> http://phpshell.sourceforge.net/ upload and configure it. give it a try it
> runs under the www-data account just like all other pages do.
> 
> This issue would allow your PHP files to be viewed. This can be an issue
> due to needing to have passwords in PHP scripts to access SOL databases
> etc..
> 
> This issue could be resolved by making each virtualhost run under a different account
and jailing each account in a different jail. 

read my former mail, I think I have described everything you mention.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message