How do I prevent uploaded file to allow browsing of server?
Posted: Sun Jun 05, 2005 4:02 pm
Hi there!
My server is used as a "Free webhotel", so people can register and publish their own sites, php and mysql supported. It used to run on a win xp machine
.
Recently, someone uploaded a PHP script which allowed them to browse the whole server. They could also see my own site files, and eventually someone would have found the file that connects to my mysql database, and see my password.
I had to shut the site down. (The logs showed that they hadn't found the password yet though).
I eventually found out that switching to linux would be more secure. Starting from NO experience at all, I installed Fedora Core 3 and Gnome.
Now, after alot of configuring and compiling, it finally works, but to my surprise, the user could still browse the server!
I turned safe_mode and safe_mode_gid in php.ini off. No result.
Setting open_basedir to something limit would prevent include() and other functions I need to work.
Here's the script: http://home.no.net/rht87/dirtable.txt
(If it doesn't work on your server, try adding "?showdir=/<folder name>/" to the end of the URL, or "?showdir=C:\<folder name>" if windows.)
Some folders are hidden, but if the user knows it's there, it can be manually inserted into $showdir=(...). That applies to files also, $showfile=(...).
I can't reopen my site if I can't fix this problem!
Does anyone know any way I can prevent this kind of file browsing? I know it's possible. And I'm open for most suggestions 
BR/HeiaTufte
My server is used as a "Free webhotel", so people can register and publish their own sites, php and mysql supported. It used to run on a win xp machine
Recently, someone uploaded a PHP script which allowed them to browse the whole server. They could also see my own site files, and eventually someone would have found the file that connects to my mysql database, and see my password.
I had to shut the site down. (The logs showed that they hadn't found the password yet though).
I eventually found out that switching to linux would be more secure. Starting from NO experience at all, I installed Fedora Core 3 and Gnome.
Now, after alot of configuring and compiling, it finally works, but to my surprise, the user could still browse the server!
I turned safe_mode and safe_mode_gid in php.ini off. No result.
Setting open_basedir to something limit would prevent include() and other functions I need to work.
Here's the script: http://home.no.net/rht87/dirtable.txt
(If it doesn't work on your server, try adding "?showdir=/<folder name>/" to the end of the URL, or "?showdir=C:\<folder name>" if windows.)
Some folders are hidden, but if the user knows it's there, it can be manually inserted into $showdir=(...). That applies to files also, $showfile=(...).
I can't reopen my site if I can't fix this problem!
BR/HeiaTufte