Shared Hosting within Shared Hosting (Hypothetical)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
dracoix
Forum Newbie
Posts: 2
Joined: Mon Mar 08, 2010 2:21 pm

Shared Hosting within Shared Hosting (Hypothetical)

Post by dracoix »

Greetings All,

Being on a shared hosting plan I have my sites and then I have some trusted friends sites as well. That's where it draws the line, if I wanted to host other sites without knowing the clients personally, I wouldn't be in my right mind not to be concerned about security.

Here's my question. I need a solution to secure folder access above a user's designated folder on a PHP level. I can demonstrate that if I upload a zero-day payload PHP script that displays an entire site map and folder structure on any site, any user can see all other users' folders and files regardless of site. Example:

Run Script: /html/usr1/seeall.php (http://usr1site.com/seeall.php)
Output:
/html/*.*
/html/asite/*.*
/html/bsite/*.*
/html/usr1/*.*
/html/usr2/*.*

I DO NOT WANT ANY USER DOING THIS!

Things to know:
-I do not have access to http.conf
-I do not have access to Apache itself
-I DO have access to .htaccess (and per folder :))
-I DO have access to php.ini (only on root, please do not recommend safe_mode)
-Each site needs to be PHP enabled for mine and client purposes.
--But can only dive into their site, and their site alone when scripting in PHP.

Yes I know shared hosting sucks, but eventually friends will want other friends that can pay me to host their sites and all and that makes a security risk.

Can this be done? Or should I just start shopping around for a Dedicated Server and build my own shared hosting?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Shared Hosting within Shared Hosting (Hypothetical)

Post by requinix »

I have yet to see a shared hosting package that allows reselling. Hosting friends' sites is okay, but once you charge for it you're probably past the ToS.

If you want to go into this kind of business you should get your own server. At the very least, someone else's server and a "reseller" account.
dracoix
Forum Newbie
Posts: 2
Joined: Mon Mar 08, 2010 2:21 pm

Re: Shared Hosting within Shared Hosting (Hypothetical)

Post by dracoix »

Yes, I'm aware of some hosts that clearly state in the ToS about this such thing. However, it is not mentioned for mine.

So is there an hypothetical way to prevent access to folders?
Post Reply