Web Hosting Talk






PDA

View Full Version : Security Problem :(

BlackDeath
11-27-2001, 04:24 AM
whats up i have a problem well actually not me but im helping out somone the person im helping out has a windows 2000 server

and there is a problem that we cannot seem to fix
the users on his server are able to view other members
files and stuff and how can we keep this from happening?

like lets say this is my server path to my site

c:/webroot/apache/htdocs/mysite/

and im able to view all files or anything in

c:/webroot/
or
c:/webroot/apache/htdocs/somone_elses_site/


i also noticed i was able to upload files to another members site from my site but thats been fixed now :D


i hope i explained good enough but im learning alot from this stuff so at least ill know what to do when i have my own server

i hope somone can help :)
smartbackups
11-27-2001, 04:29 AM
Your best bet is to set up another directory on another drive from your web root.

What we did was something like this.

d:\domains
\www.customerdomain.com\
\htdocs

d:\domains
\www.customerdomain2.com\
\htdocs

Then you allow permissions for the iusr user and then only the user for each domain and that is it.

Keep it locked down. Keep everything separate as muchas you can.
netsolutions
11-27-2001, 04:31 AM
This looks like a simple permissions problem. Can't you just change the permissions on your server and FTP?
BlackDeath
11-27-2001, 04:36 AM
lol thats what i told the person with the server but he cant do it i also told him to totally think about whats viewable in his main folder which is php.exe and some other strange things and move them to another area

what he did now is something thats not really good since there is alot of PHP users

he has "opendir" disabled and alot of other things my topsite list wont work right because a function it uses is disabled but it doesnt use opendir i think :-\

he was going to completly take out PHP from his hosting thing but that would ruin his service if he does

but what can be done with PHP can be done with CGI so either way he is still scr*wed

but does anyone know a way to keep somone from viewing stuff behind there account

like f2s but they use UNIX
BlackDeath
11-27-2001, 04:43 AM
Originally posted by netsolutions
This looks like a simple permissions problem. Can't you just change the permissions on your server and FTP?


well he has .zip and .exe .mp3 files blocked but ill ask him about the permissions :-\


ohh ya in our FTP accounts nothing can be viewed if you try clicking the back button to view stuff behind your account


but im talking about it being viewed with a uploaded web file manager