mehrdadabed
Verified User
- Joined
- Nov 10, 2009
- Messages
- 15
Hi,
Please read to the end :
I recently have encountered a security problem in directadmin,
i've compiled apache 2.2 with suphp az php handler,
the problem is that all users could access another users files by php (i've disabled the perl/cgi/python completely for all users), to resolve this issue i tried to use "open_basedir" as an admin flag for each user but since suphp is used, "php_admin_value" could not be set so I tired "SetEnv PHP_INI_SCAN_DIR" to assign a dedicated php.ini for each user and set a "php.ini" for each domain individually through each user httpd.conf,
But now, the users could override my options by setting their own "php.ini" in ".htaccess",
I spent lots of time to find a method to disable using of "SetEnv PHP_INI_SCAN_DIR" in .htaccess with no success,
Please help me in this regard, I really feel unsecured with current condition!
Thanks
Abed
Please read to the end :
I recently have encountered a security problem in directadmin,
i've compiled apache 2.2 with suphp az php handler,
the problem is that all users could access another users files by php (i've disabled the perl/cgi/python completely for all users), to resolve this issue i tried to use "open_basedir" as an admin flag for each user but since suphp is used, "php_admin_value" could not be set so I tired "SetEnv PHP_INI_SCAN_DIR" to assign a dedicated php.ini for each user and set a "php.ini" for each domain individually through each user httpd.conf,
But now, the users could override my options by setting their own "php.ini" in ".htaccess",
I spent lots of time to find a method to disable using of "SetEnv PHP_INI_SCAN_DIR" in .htaccess with no success,
Please help me in this regard, I really feel unsecured with current condition!
Thanks
Abed
