Shared Hosting within Shared Hosting (Hypothetical)
Posted: Mon Mar 08, 2010 2:49 pm
Greetings All,
Being on a shared hosting plan I have my sites and then I have some trusted friends sites as well. That's where it draws the line, if I wanted to host other sites without knowing the clients personally, I wouldn't be in my right mind not to be concerned about security.
Here's my question. I need a solution to secure folder access above a user's designated folder on a PHP level. I can demonstrate that if I upload a zero-day payload PHP script that displays an entire site map and folder structure on any site, any user can see all other users' folders and files regardless of site. Example:
Run Script: /html/usr1/seeall.php (http://usr1site.com/seeall.php)
Output:
/html/*.*
/html/asite/*.*
/html/bsite/*.*
/html/usr1/*.*
/html/usr2/*.*
I DO NOT WANT ANY USER DOING THIS!
Things to know:
-I do not have access to http.conf
-I do not have access to Apache itself
-I DO have access to .htaccess (and per folder
)
-I DO have access to php.ini (only on root, please do not recommend safe_mode)
-Each site needs to be PHP enabled for mine and client purposes.
--But can only dive into their site, and their site alone when scripting in PHP.
Yes I know shared hosting sucks, but eventually friends will want other friends that can pay me to host their sites and all and that makes a security risk.
Can this be done? Or should I just start shopping around for a Dedicated Server and build my own shared hosting?
Being on a shared hosting plan I have my sites and then I have some trusted friends sites as well. That's where it draws the line, if I wanted to host other sites without knowing the clients personally, I wouldn't be in my right mind not to be concerned about security.
Here's my question. I need a solution to secure folder access above a user's designated folder on a PHP level. I can demonstrate that if I upload a zero-day payload PHP script that displays an entire site map and folder structure on any site, any user can see all other users' folders and files regardless of site. Example:
Run Script: /html/usr1/seeall.php (http://usr1site.com/seeall.php)
Output:
/html/*.*
/html/asite/*.*
/html/bsite/*.*
/html/usr1/*.*
/html/usr2/*.*
I DO NOT WANT ANY USER DOING THIS!
Things to know:
-I do not have access to http.conf
-I do not have access to Apache itself
-I DO have access to .htaccess (and per folder
-I DO have access to php.ini (only on root, please do not recommend safe_mode)
-Each site needs to be PHP enabled for mine and client purposes.
--But can only dive into their site, and their site alone when scripting in PHP.
Yes I know shared hosting sucks, but eventually friends will want other friends that can pay me to host their sites and all and that makes a security risk.
Can this be done? Or should I just start shopping around for a Dedicated Server and build my own shared hosting?