Page 1 of 1

Shared Hosting within Shared Hosting (Hypothetical)

Posted: Mon Mar 08, 2010 2:49 pm
by dracoix
Greetings All,

Being on a shared hosting plan I have my sites and then I have some trusted friends sites as well. That's where it draws the line, if I wanted to host other sites without knowing the clients personally, I wouldn't be in my right mind not to be concerned about security.

Here's my question. I need a solution to secure folder access above a user's designated folder on a PHP level. I can demonstrate that if I upload a zero-day payload PHP script that displays an entire site map and folder structure on any site, any user can see all other users' folders and files regardless of site. Example:

Run Script: /html/usr1/seeall.php (http://usr1site.com/seeall.php)
Output:
/html/*.*
/html/asite/*.*
/html/bsite/*.*
/html/usr1/*.*
/html/usr2/*.*

I DO NOT WANT ANY USER DOING THIS!

Things to know:
-I do not have access to http.conf
-I do not have access to Apache itself
-I DO have access to .htaccess (and per folder :))
-I DO have access to php.ini (only on root, please do not recommend safe_mode)
-Each site needs to be PHP enabled for mine and client purposes.
--But can only dive into their site, and their site alone when scripting in PHP.

Yes I know shared hosting sucks, but eventually friends will want other friends that can pay me to host their sites and all and that makes a security risk.

Can this be done? Or should I just start shopping around for a Dedicated Server and build my own shared hosting?

Re: Shared Hosting within Shared Hosting (Hypothetical)

Posted: Mon Mar 08, 2010 4:59 pm
by requinix
I have yet to see a shared hosting package that allows reselling. Hosting friends' sites is okay, but once you charge for it you're probably past the ToS.

If you want to go into this kind of business you should get your own server. At the very least, someone else's server and a "reseller" account.

Re: Shared Hosting within Shared Hosting (Hypothetical)

Posted: Tue Mar 09, 2010 12:02 pm
by dracoix
Yes, I'm aware of some hosts that clearly state in the ToS about this such thing. However, it is not mentioned for mine.

So is there an hypothetical way to prevent access to folders?