Page 1 of 1

another php include hole

Posted: Thu Sep 15, 2005 4:40 pm
by birdie
hi, i have a security problem on my web/ftp server. Users can use php and use it to exploit my server folders. For example:

server.com
/hosted1
/hosted2
/hosted3

There is a file called exploit.php in hosted3. it contains:
<? include("../hosted1/passwords.php"); ?>

Is there any way to restrict people from using include() require() require_once() functions to their advantage. BUT, i would like the users to be able to use these functions but only in THEIR folder/directory.

Is there any way of making this possible? thanks

ps. i have IIS6, mysql, php, asp

Posted: Thu Sep 15, 2005 4:59 pm
by Roja