Hi
I am a webmaster. I support some websites. I find a problem in some hosting services.
In these hosting a user that use implode syntax in a php script can access to other account's file.
So he/she can implode configuration portal files from other account and find database's name,username&password and so it can access to dbase and drop it or use other action with dbase!
For exam He can use this address in implode syntax :
/home/otherAccountName/public_html/portalFolder/config.php
This is occur in all hosting services or only occur in these hosting services that I work with them?
Why we see this problem?
What is webhosting administrator must do for solve this problem?
I know if we use syntax Error_reporting (0); in php script hacker can not find account name but I want users can not impload other account's files.
Please help.
Thanks
Security problem with php implode syntax in shared hosting.
Moderator: General Moderators
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Unfortunately that's not always the case. There are rumours some hosts out there even allow ftp access outside the user's home folder and to other interesting placesThis is a problem with the host, "/home/otherAccountName/" should not be readable -- every site should run as their own user.
I stopped trusting Hosts long ago...