duncan
Verified User
Hi Everyone,
I am running php5-cgi with Custombuild.
I switched to this setup a few years ago as my previous version of DA was compromised due to a user's Joomla installation that was hacked. The hacker then gained access to all domains that were running on my machine. So I read php5-cgi was safest, as it quarantines a user to their own directory, preventing an intruder from accessing other user's files.
Today I was shocked to see that the following code allows a user to view another user's files:
Is this the result of a fault on my behalf with configuration? And if so, how can I fix it? Or is this an inherent vulnerability with php5-cgi?
If it makes any difference, Safe Mode is on for all domains, and Open BaseDir is off on all domains.
Thank you in advance!
I am running php5-cgi with Custombuild.
I switched to this setup a few years ago as my previous version of DA was compromised due to a user's Joomla installation that was hacked. The hacker then gained access to all domains that were running on my machine. So I read php5-cgi was safest, as it quarantines a user to their own directory, preventing an intruder from accessing other user's files.
Today I was shocked to see that the following code allows a user to view another user's files:
PHP:
<?php
readfile("home/user/domains/domain.com/public_html/mysql_passwords.php");
?>Is this the result of a fault on my behalf with configuration? And if so, how can I fix it? Or is this an inherent vulnerability with php5-cgi?
If it makes any difference, Safe Mode is on for all domains, and Open BaseDir is off on all domains.
Thank you in advance!
