Security problem with php implode syntax in shared hosting.
Posted: Tue Apr 25, 2006 10:14 am
Hi
I am a webmaster. I support some websites. I find a problem in some hosting services.
In these hosting a user that use implode syntax in a php script can access to other account's file.
So he/she can implode configuration portal files from other account and find database's name,username&password and so it can access to dbase and drop it or use other action with dbase!
For exam He can use this address in implode syntax :
/home/otherAccountName/public_html/portalFolder/config.php
This is occur in all hosting services or only occur in these hosting services that I work with them?
Why we see this problem?
What is webhosting administrator must do for solve this problem?
I know if we use syntax Error_reporting (0); in php script hacker can not find account name but I want users can not impload other account's files.
Please help.
Thanks
I am a webmaster. I support some websites. I find a problem in some hosting services.
In these hosting a user that use implode syntax in a php script can access to other account's file.
So he/she can implode configuration portal files from other account and find database's name,username&password and so it can access to dbase and drop it or use other action with dbase!
For exam He can use this address in implode syntax :
/home/otherAccountName/public_html/portalFolder/config.php
This is occur in all hosting services or only occur in these hosting services that I work with them?
Why we see this problem?
What is webhosting administrator must do for solve this problem?
I know if we use syntax Error_reporting (0); in php script hacker can not find account name but I want users can not impload other account's files.
Please help.
Thanks