PHP Security, Part 1
Subject:   no PHP security on shared web servers
Date:   2003-08-22 06:57:48
From:   anonymous2
Response to: no PHP security on shared web servers

The Web hosting company could add an open_basedir directive in the config file for each client's "root" (top-level or virtual host) folder:

Client ABC gets the directive:
open_basedir = '<somepath>/clientABC/'

Client XYZ gets the directive:
open_basedir = '<somepath>/clientXYZ/'

The default directive for PHP is:
open_basedir = '.'
(If not explicitly set for a folder, PHP scripts can only fopen/include from the current folder)

This seems to make it substantially more difficult for PHP code in /clientABC/ to get to code in /clientXYZ/ - although I won't say it is impossible...

Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • no PHP security on shared web servers
    2003-09-02 12:37:56  anonymous2 [View]

    You can use a client like phpshell, and can type in:

    cat /home/clientXYZ/*.php

    and you will probably screens php code from clientXYZ's folder.

    I agree with the original author. Shared hosting extremely insecure.