Hey,
Given the following situation:
User A has a file /home/a/domains/a.com/public_html/mysql.inc.php with all it's MySQL-credentials.
Now user B creates a file /home/b/domains/b.com/public_html/index.php and does a require("/home/a/domains/a.com/public_html/mysql.inc.php");
At this moment, this is allowed on my server! I don't like the safe_mode principle, as scripts like TYPO3 require it to be turned off and in PHP 6 safe_mode doesn't exist anymore, but I don't like this behaviour either.
What have you done to prevent this from happening?
Given the following situation:
User A has a file /home/a/domains/a.com/public_html/mysql.inc.php with all it's MySQL-credentials.
Now user B creates a file /home/b/domains/b.com/public_html/index.php and does a require("/home/a/domains/a.com/public_html/mysql.inc.php");
At this moment, this is allowed on my server! I don't like the safe_mode principle, as scripts like TYPO3 require it to be turned off and in PHP 6 safe_mode doesn't exist anymore, but I don't like this behaviour either.
What have you done to prevent this from happening?
Last edited:
You can add a list of functions to disable_functions list too (as exec, system, passthru etc.) for security.