How to fix free hosting script’s security problems

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
eugene2008
Forum Newbie
Posts: 21
Joined: Sat Jul 01, 2006 3:07 pm

How to fix free hosting script’s security problems

Post by eugene2008 »

XAMPP, WINDOWS2003 VDS, PHP5, APACHE2

Free hosting script creates users in folder
http://pcsny.org/users/%username%

for example: if new user has login=newuser
then his directory is http://pcsny.org/users/newuser/
and http://newuser.pcsny.org


httpd-vhosts.conf looks like this

Code: Select all

###################################################
<Directory "C:/aweb/freehosting"> 
  Options Indexes Includes FollowSymLinks ExecCGI 
  AllowOverride all 
  Order allow,deny 
  Allow from all 
</Directory> 

<VirtualHost *:80> 
  DocumentRoot "C:/aweb/freehosting" 
  ServerName pcsny.org 
  ServerAlias www.pcsny.org
php_admin_value open_basedir "/"

</VirtualHost> 

<VirtualHost *:80> 
 ServerName pcsny.org
 ServerAlias *.pcsny.org 
VirtualDocumentRoot
php_admin_value open_basedir "C:/aweb/freehosting/users/"

</VirtualHost>
It is working but not secure enough because of this php_admin_value open_basedir "C:/aweb/freehosting/users/"

Bad script can see and fully control anything in folder /users/
I tried to do so php_admin_value open_basedir "C:/aweb/freehosting/users/%1/"
Bad alas it is not so easy as with VirtualDocumentRoot

So I’ve got some questions:
1. How to lock users in their respective folders
2. How to disable user to access his web page through http://pcsny.org/users/%newuser%/ and redirect them to appropriate sub domain (because this way they gain full control over system)?
3. Will .htaccess in user’s folder override all my security efforts to zero? How to prevent this without disabling .htaccess?
Post Reply