Page 1 of 1
Script breaks php security on win2003 XAMPP
Posted: Fri Sep 08, 2006 11:02 pm
by eugene2008
Script breaks php security on win2003 XAMPP
This is the script I've checked on my VPS WIN2003 XAMPP
http://php.spb.ru/remview/
http://php.spb.ru/remview/screen_mainwindow.html
http://php.spb.ru/remview/remview_2003_10_23.php
tranlate from rus to eng
http://www.translate.ru/url/tran_url.as ... ubmit2.y=7
and results are horrible

))
*complete* control over entire system - just like it would be a non GUI REMOTE ADMINISTRATOR...
So, how to disallow any script to move beyond it's top/root folder?
For instance if domain name is domen.com and it's placed in c:\vhosts\domen.com
I want any script in this domain not to go upper then / root => c:\vhosts\domen.com\
really need help, because this is a scary stuff

Posted: Sat Sep 09, 2006 3:03 am
by matthijs
Could you explain what is happening exactly? You installed a script and now your locally installed xampp isn't secure anymore? Is your xampp used as a live server?
Posted: Sat Sep 09, 2006 3:40 am
by RobertGonzalez
How exactly has security been broken? Can you elaborate on that part?
Posted: Sat Sep 09, 2006 6:18 am
by eugene2008
what part did not you undestand?
script can browse beyound it's root folder
Re: Script breaks php security on win2003 XAMPP
Posted: Sat Sep 09, 2006 4:59 pm
by RobertGonzalez
eugene2008 wrote:So, how to disallow any script to move beyond it's top/root folder?
For instance if domain name is domen.com and it's placed in c:\vhosts\domen.com
I want any script in this domain not to go upper then / root => c:\vhosts\domen.com\
So you want to keep a script from accessing c:\vhosts\ if it is in c:\vhosts\domen.com\?
Posted: Sun Sep 10, 2006 8:06 am
by eugene2008
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
[syntax="apache"]##################################################
<Directory "C:/aweb/freehosting">
Options Indexes Includes FollowSymLinks ExecCGI
AllowOverride all
Order allow,deny
Allow from all
</Directory>
<VirtualHost *:80>
DocumentRoot "C:/aweb/freehosting"
ServerName pcsny.org
ServerAlias http://www.pcsny.org
php_admin_value open_basedir "/"
Options +FollowSymLinks
RewriteEngine On
RewriteRule ^/users/([^/]+)(/(.*))?$ http://$1.pcsny.org/$3 [R=301,L]
RewriteCond %{HTTP_HOST} ^pcsny\.org
RewriteCond %{REQUEST_URI} ^(.*)
RewriteRule (.*) http://www.pcsny.org/%1 [R=301,L]
</VirtualHost>
<VirtualHost *:80>
ServerName pcsny.org
ServerAlias *.pcsny.org
VirtualDocumentRoot "C:/aweb/freehosting/users/%1/"
php_admin_value open_basedir "C:/aweb/freehosting/users/"
</VirtualHost>
####################################################
i tried
VirtualDocumentRoot "C:/aweb/freehosting/users/__%1/"
php_admin_value open_basedir "C:/aweb/freehosting/users/__"
so each new user is jailed in his folder but alas it does not work
how to jail them in their folders?
feyd | Please use[/syntax]Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Posted: Sun Sep 10, 2006 8:33 am
by Weirdan
http://us3.php.net/manual/en/features.s ... en-basedir
Or even better, use php as FastCGI/suEXEC (not quite sure if it's possible on windows).