Web Hosting Talk : Web Hosting Main Forums : Managed Hosting and Services : Security problem with php implode syntax in shared hosting.

[sanbad]

Hi

I am a webmaster. I support some websites. I find a problem in some hosting services.
In these hosting a user that use implode syntax in a php script can access to other account's file.

So he/she can implode configuration portal files from other account and find database's name,username&password and so it can access to dbase and drop it or use other action with dbase!

For exam He can use this address in implode syntax :
/home/otherAccountName/public_html/portalFolder/config.php

This is occur in all hosting services or only occur in these hosting services that I work with them?
Why we see this problem?
What is webhosting administrator must do for solve this problem?

I know if we use syntax Error_reporting (0); in php script hacker can not find account name but I want users can not impload other account's files.
Please help.
Thanks

[gbjbaanb]

look up open_basedir in the PHP documentation and implement it for your sites.

Also, disable the exec() calls in PHP.

[sanbad]

Quote:

Originally Posted by gbjbaanb

look up open_basedir in the PHP documentation and implement it for your sites.

Also, disable the exec() calls in PHP.

Thanks
If possible, please explan about Disableing exec() calls.

who must do this? Server admin? reseller admin? webhosting enduser?

If disable exec() call. portl's that use require, include and implode syntaxes in that scripts; can work properly?

[gbjbaanb]

Here's a link to get you started, but if you're serious about securing your site, I suggest hiring someone who will do it for you, or take the time to learn for yourself.

In both cases, the server admin will have to do this - you will need to update the virtual host directives for each site, or the php.ini, to include the necessary php directives.

http://uk.php.net/exec

to disable exec, find the line "disable_functions =" in php.ini and change it to "disable_functions = exec".