DirectAdmin + CB2 + ModRUID2 + Default php settings = Security issue

[nservices]

Hi,
when you run php script with http://ip/~username/phpinfo.php
there is no any open_basedir restriction, so the php malware script can take control on the server.

checked with updated DA 1.4.83 + PHP 5.6.12 + APACHE 2.4.16

Please check and advice,

 

[DirectAdmin Support]

Thanks, I've added a fix:
https://www.directadmin.com/features.php?id=1773
I've added the changes to the pre-release section if you'd like the fix now:
http://help.directadmin.com/item.php?id=408

Don't forget to issue a rewrite after updating DA:

cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confs

Let me know if you run into any issues with the changes.

John

 

[nservices]

work grate, thanks!

 

[gate2vn]

Did running "./build rewrite_confs" completely wipe out nginx_apache configuration? I run that after compiling nginx_apache, then no more nginx service. Had to recompile.

 

[zEitEr]

Hello,

Make sure you've got:

nginx_proxy=1

in /usr/local/directadmin/conf/directadmin.conf

If it was set to a default 0 [zero] then that's the reason that you lost nginx configuration after running "./build rewrite_confs".