php-windows Digest 20 Aug 2001 08:21:41 -0000 Issue 711

Mon, 20 Aug 2001 00:54:17 -0700 


php-windows Digest 20 Aug 2001 08:21:41 -0000 Issue 711

Topics (messages 8944 through 8945):

Restricting access to system files
        8944 by: Erick Baum
        8945 by: Phil Driscoll

Administrivia:

To subscribe to the digest, e-mail:
        [EMAIL PROTECTED]

To unsubscribe from the digest, e-mail:
        [EMAIL PROTECTED]

To post to the list, e-mail:
        [EMAIL PROTECTED]


----------------------------------------------------------------------


Hello,

Maybe I have missed something very obvious in the setup of PHP on our
Windows2000 server with IIS5.  But I cannot seem to figure out how to stop
people from being able to "read" any file on the system they wish by simply
FOPENing the file.  For instance, I tested this by writing a very simple php
script that would open c:\winnt\php.ini and display the contents.  This is
obviously not something we want people to be able to do.

Short of removing the IUSR account from having read access to everything, is
there an easier way to stop PHP from allowing access outside a certain
directory?

Thanks,
Erick





On Monday 20 August 2001 3:21 am, Erick Baum wrote:
> Hello,
>
> Maybe I have missed something very obvious in the setup of PHP on our
> Windows2000 server with IIS5.  But I cannot seem to figure out how to stop
> people from being able to "read" any file on the system they wish by simply
> FOPENing the file.  For instance, I tested this by writing a very simple
> php script that would open c:\winnt\php.ini and display the contents.  This
> is obviously not something we want people to be able to do.
>
> Short of removing the IUSR account from having read access to everything,
> is there an easier way to stop PHP from allowing access outside a certain
> directory?

You can use the open_basedir directive in php.ini to restrict fopen's access 
to directories.
http://www.php.net/manual/en/configuration.php
Having said that, I suspect that it would be sensible to have a long hard 
look at file permissions on your machine. I don't know about W2K, but on NT4, 
the default setup leaves just about everything set with full control for 
everybody. Do a google search for something like harden windows 2000, and you 
should get some tips.

Cheers
-- 
Phil Driscoll

Reply via email to