Script breaks php security on win2003 XAMPP

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
eugene2008
Forum Newbie
Posts: 21
Joined: Sat Jul 01, 2006 3:07 pm

Script breaks php security on win2003 XAMPP

Post by eugene2008 »

Script breaks php security on win2003 XAMPP
This is the script I've checked on my VPS WIN2003 XAMPP
http://php.spb.ru/remview/
http://php.spb.ru/remview/screen_mainwindow.html
http://php.spb.ru/remview/remview_2003_10_23.php

tranlate from rus to eng

http://www.translate.ru/url/tran_url.as ... ubmit2.y=7

and results are horrible :)))
*complete* control over entire system - just like it would be a non GUI REMOTE ADMINISTRATOR...
So, how to disallow any script to move beyond it's top/root folder?
For instance if domain name is domen.com and it's placed in c:\vhosts\domen.com
I want any script in this domain not to go upper then / root => c:\vhosts\domen.com\

really need help, because this is a scary stuff :)
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Could you explain what is happening exactly? You installed a script and now your locally installed xampp isn't secure anymore? Is your xampp used as a live server?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

How exactly has security been broken? Can you elaborate on that part?
eugene2008
Forum Newbie
Posts: 21
Joined: Sat Jul 01, 2006 3:07 pm

Post by eugene2008 »

what part did not you undestand?
script can browse beyound it's root folder
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Script breaks php security on win2003 XAMPP

Post by RobertGonzalez »

eugene2008 wrote:So, how to disallow any script to move beyond it's top/root folder?
For instance if domain name is domen.com and it's placed in c:\vhosts\domen.com
I want any script in this domain not to go upper then / root => c:\vhosts\domen.com\
So you want to keep a script from accessing c:\vhosts\ if it is in c:\vhosts\domen.com\?
eugene2008
Forum Newbie
Posts: 21
Joined: Sat Jul 01, 2006 3:07 pm

Post by eugene2008 »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


[syntax="apache"]##################################################
<Directory "C:/aweb/freehosting"> 
  Options Indexes Includes FollowSymLinks ExecCGI 
  AllowOverride all 
  Order allow,deny 
  Allow from all 
</Directory> 

<VirtualHost *:80> 
  DocumentRoot "C:/aweb/freehosting" 
  ServerName pcsny.org 
  ServerAlias http://www.pcsny.org
  php_admin_value open_basedir "/"
  Options +FollowSymLinks 
  RewriteEngine On 
  RewriteRule ^/users/([^/]+)(/(.*))?$ http://$1.pcsny.org/$3 [R=301,L]
RewriteCond %{HTTP_HOST} ^pcsny\.org 
RewriteCond %{REQUEST_URI} ^(.*)
RewriteRule (.*) http://www.pcsny.org/%1 [R=301,L]

</VirtualHost> 

<VirtualHost *:80> 
 ServerName pcsny.org
 ServerAlias *.pcsny.org 
 VirtualDocumentRoot "C:/aweb/freehosting/users/%1/" 
 php_admin_value open_basedir "C:/aweb/freehosting/users/"
</VirtualHost>

####################################################
i tried
VirtualDocumentRoot "C:/aweb/freehosting/users/__%1/"
php_admin_value open_basedir "C:/aweb/freehosting/users/__"

so each new user is jailed in his folder but alas it does not work



how to jail them in their folders?


feyd | Please use[/syntax]

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

http://us3.php.net/manual/en/features.s ... en-basedir

Or even better, use php as FastCGI/suEXEC (not quite sure if it's possible on windows).
Post Reply