Pablo,
As a shared hosting company myself (http://www.simplenet.com/), I can guarantee that is not the way it is supposed to be. We make sure that can't happen by running in Safe mode, using the open_basedir directive, and making sure the directory tree has the correct permissions so the situation you described cannot happen.
So, I'd say that your shared host is doing a poor job of implementing PHP.
Tim.
At 08:31 PM 9/25/2004, Pablo Gosse wrote:
Hi folks. I recently set up hosting for my site and have noticed something which is making me nervous.
I can't seem to include files outside of my webroot, so I wrote a script to test permissions using passthru to output the results of a bunch of ls -la commands to see what I did and did not have access to. Eventually I was able to read the directory which holds the root folders for all sites on the server, and from there I was able to read files (revealing the php source) from the webroot of another site.
This to me is a huge security issue since if anyone has any sensitive information there, it could easily be accessed by anyone else hosting on the same server. And because I can't seem to include files from outside my webroot, if I stay with this company I'll be forced to include information such as database passwords inside my webroot, therefore exposing the information to every other user on the server, and that's just not acceptable.
All of my experience until now has been in situations where the sites I've worked on have been hosted on dedicated servers, so this has never been a problem.
Is this a common set up for shared hosting? Is there any way around this?
Cheers and TIA.
Pablo
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
SimpleNet's Back ! http://www.simplenet.com
