another php include hole

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
birdie
Forum Newbie
Posts: 22
Joined: Thu Sep 15, 2005 4:37 pm

another php include hole

Post by birdie »

hi, i have a security problem on my web/ftp server. Users can use php and use it to exploit my server folders. For example:

server.com
/hosted1
/hosted2
/hosted3

There is a file called exploit.php in hosted3. it contains:
<? include("../hosted1/passwords.php"); ?>

Is there any way to restrict people from using include() require() require_once() functions to their advantage. BUT, i would like the users to be able to use these functions but only in THEIR folder/directory.

Is there any way of making this possible? thanks

ps. i have IIS6, mysql, php, asp
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Post Reply