Protection against readfile

D

daride

Verified User
Joined
Oct 6, 2005
Messages
19
Hello there,

I stumbled upon this by a friend of mine,
he was able to see every php file's source.

I already tryd some protection with the open_basedir
however everything i tryd it doesn't work.

Script on my server to check it:
http://www.starhosted.com/hierzo.php

Can anywone help me or maybe secure me against this? (i have ssh access)
 
Just add readfile to the deny list in php.ini and restart httpd.
 
I did that...doesn't work.

I'm running a debian server atm, could you tell me else where the exact location of my php.ini is?
 
Also I don't think it's very smart to add it to the deny list, because it's something that's much used in PHP.

I tought it was a problem with the open_basedir restrictions.
anywone got a idea or a fix?
 
sullise said:
Is safe mode on?
Click to expand...

I think it is ==>

Warning: shell_exec(): Cannot execute using backquotes in Safe Mode in /home/admin/domains/starhosted.com/public_html/hierzo.php on line 2

Warning: shell_exec(): Cannot execute using backquotes in Safe Mode in /home/admin/domains/starhosted.com/public_html/hierzo.php on line 11
 
Does it work across sites?

In my test on your site a moment ago I couldn't read /etc/passwd, which IS a world-readable file.

Jeff
 
I think I understand the situation now.

Readfile will be able to view any file under your /home/username directory if it's readable, but shouldn't be able to read anything above that.

Shouldn't be able to read anybody elses /home/username site files.

You can't (or shouldn't) disable it because it's used by a lot of scripts.
 
sullise said:
I think I understand the situation now.

Readfile will be able to view any file under your /home/username directory if it's readable, but shouldn't be able to read anything above that.

Shouldn't be able to read anybody elses /home/username site files.

You can't (or shouldn't) disable it because it's used by a lot of scripts.
Click to expand...

Your 100% correct!!
Couldn't type it better (maybe that is because i'm dutch:D )

So i hope somewone can help me out of this because it's REALLY getting annoying.
 
daride, your phpinfo screen says safe_mode is on.

Is that what you want?

Is it on?

Don't forget it can be controlled site by site.

Jeff
 
jlasman said:
daride, your phpinfo screen says safe_mode is on.

Is that what you want?

Is it on?

Don't forget it can be controlled site by site.

Jeff
Click to expand...

I just wan't a safe invirement for my users to run there website in...

I switched safe_mode on because somewone sayd it would fix my problem, however it didn't...

if some linux (debian) or directadmin expert is willing to fix it for me...contact me i'll give you SSH acces.
 
I'm still not fully getting what the problem is. Are you running a "free" hosting account under a single shared hosting accout?
 
sullise said:
I'm still not fully getting what the problem is. Are you running a "free" hosting account under a single shared hosting accout?
Click to expand...

I'm running my own dedicated server wich is for an hosting compagny called starhosted....

The problem is that other users can read every other user his file.
 
If safe_mode is on they shouldn't be able to do that.

Please be more clear; give us a complete scenario of exactly what user A does to read user B's site.

Jeff
 
You must log in or register to reply here.
Back
Top