:( Hi,

I am giving out some Sub Domains via CPANEL control Panel, but

recently, there is a script called: remview.php that can control

all over my site, all DB can be hacked anytime :-(

http://php.spb.ru/remview/

Let's say: You have a Domain AAA

you give out a Sub : sub.AAA.com

and then they upload that script on there...and they can control

all over that whole domain :-(



:confused: any helps

Thanks in advance

:(

There is no solution to this problem. I contacted my hosting company the minute I saw this feature in their control panel and asked them if there are any measures against this security problem, but their reply was irrelevant just repeating the function of this feature.

BTW, not only those you give access to a subdomain on your account, but everybody else on the server can get your MySQL password if it is in a PHP file.

How about this problem, now?

http://php.spb.ru/remview/

Oh yeah, really good, if you speak Russian!

This isn't just a problem for a sub domain, that really has no bearing on this problem, other than the user it runs as (assuming a CGI wrapper is used for CGI and/or PHP) will also maybe be able to have the same control as you. No matter what, otherwise they have the same CGI and/or PHP script access as everyone else, if it's a global user anyway.

However, you can (if your hosting provider is willing) very easily modify it so anything in that path can not run CGI, PHP or other scripts, as well as denying SSI and other type of access.

Provided they do that, you can safely hand out sub domain accounts. Keep in mind that depending on how CGI and/or PHP is running on the server, this problem can still exist anyway on any shared hosting environment, unless steps are taken to prevent it.

Though I won't argue in that current state of configuration on the server that giving out free sub domains to just anyone that is allowed or can somehow manage to use any type of script to snoop around the system is a bad idea and makes the potential greater (especially when people are paying to have accounts on that same server, as most people aren't the type of try and do this if they are a regular client).

Still, it's all about prevention, permissions, ownership and configurations and how things run. Look into disabling CGI, PHP, SSI and definitely .htaccess (or at least make it so their .htaccess directives are limited to features that can't be used to add or enable CGI, PHP, etc. type of scripts by adding mime/action types, etc.)

What does this thing do?