Page 1 of 1

Security problem with php implode syntax in shared hosting.

Posted: Tue Apr 25, 2006 10:14 am
by sanbad
Hi

I am a webmaster. I support some websites. I find a problem in some hosting services.
In these hosting a user that use implode syntax in a php script can access to other account's file.

So he/she can implode configuration portal files from other account and find database's name,username&password and so it can access to dbase and drop it or use other action with dbase!

For exam He can use this address in implode syntax :
/home/otherAccountName/public_html/portalFolder/config.php

This is occur in all hosting services or only occur in these hosting services that I work with them?
Why we see this problem?
What is webhosting administrator must do for solve this problem?

I know if we use syntax Error_reporting (0); in php script hacker can not find account name but I want users can not impload other account's files.
Please help.
Thanks

Posted: Tue Apr 25, 2006 12:56 pm
by Maugrim_The_Reaper
It's possible. It's common. It's not a PHP problem specifically. You usually don't even need to use implode.

I hope no one uses their main account password to access their host's database via PHP apps... :?

Posted: Tue Apr 25, 2006 1:00 pm
by Christopher
This is a problem with the host, "/home/otherAccountName/" should not be readable -- every site should run as their own user.

Posted: Wed Apr 26, 2006 3:13 am
by Maugrim_The_Reaper
This is a problem with the host, "/home/otherAccountName/" should not be readable -- every site should run as their own user.
Unfortunately that's not always the case. There are rumours some hosts out there even allow ftp access outside the user's home folder and to other interesting places :).

I stopped trusting Hosts long ago...