#22598 [NEW]: web server security

Fri, 07 Mar 2003 17:19:44 -0800 

From:             luke at cywh dot com
Operating system: Windows XP
PHP version:      4.3.1
PHP Bug Type:     CGI related
Bug description:  web server security

I run a small hosting operation like geocities (free 20mb), and i offer php
support. problem is, is the users can access anything on my computer on
php. infact one did which is why im typing this up. someone suggested to
set openbase_dir, but when i do it shows up as no value in the phpinfo()
and it seems to not work at all. from what i understand is if you put a .
or something, or set it, its supposed to not allow scripts to access any
file outside the folder, but can allow subfolders from that script.

i run a webmail php script that has to access c:/windows/temp/itsname/

i dont want any user to access anything outside their folder.

i run apache 2.0.43. someone said i should downgrade php and apache which
i dont want to do. ive had to many problems with apache 1.3 and im not
going to downgrade from 2.0. i dont feel i have to do it anyway. if i have
to disable apache use for the users folders i will, but i dont really want
to take away a feature ive already promissed.

thanks guys

Luke Scott
www.cywh.com
(http://cytech.cywh.com/phpinfo.php)
(if you could, please send me an email)
-- 
Edit bug report at http://bugs.php.net/?id=22598&edit=1
-- 
Try a CVS snapshot:         http://bugs.php.net/fix.php?id=22598&r=trysnapshot
Fixed in CVS:               http://bugs.php.net/fix.php?id=22598&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=22598&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=22598&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=22598&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=22598&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=22598&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=22598&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=22598&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=22598&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=22598&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=22598&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=22598&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=22598&r=gnused

Reply via email to