Security problem with php implode syntax in shared hosting.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sanbad
Forum Newbie
Posts: 4
Joined: Tue Jun 07, 2005 2:17 am
Location: Iran

Security problem with php implode syntax in shared hosting.

Post by sanbad »

Hi

I am a webmaster. I support some websites. I find a problem in some hosting services.
In these hosting a user that use implode syntax in a php script can access to other account's file.

So he/she can implode configuration portal files from other account and find database's name,username&password and so it can access to dbase and drop it or use other action with dbase!

For exam He can use this address in implode syntax :
/home/otherAccountName/public_html/portalFolder/config.php

This is occur in all hosting services or only occur in these hosting services that I work with them?
Why we see this problem?
What is webhosting administrator must do for solve this problem?

I know if we use syntax Error_reporting (0); in php script hacker can not find account name but I want users can not impload other account's files.
Please help.
Thanks
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

It's possible. It's common. It's not a PHP problem specifically. You usually don't even need to use implode.

I hope no one uses their main account password to access their host's database via PHP apps... :?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

This is a problem with the host, "/home/otherAccountName/" should not be readable -- every site should run as their own user.
(#10850)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

This is a problem with the host, "/home/otherAccountName/" should not be readable -- every site should run as their own user.
Unfortunately that's not always the case. There are rumours some hosts out there even allow ftp access outside the user's home folder and to other interesting places :).

I stopped trusting Hosts long ago...
Post Reply