Urgent PHP security problem on Intranet server...

  Gaz 25 17:25 23 Sep 2004

I am running apache with php loaded as module on a local intranet, and someone has uploaded a upload script and by changing c:\wwwfiles\www\ to: c:\ they have gained ROOT access.

How can I stop PHP from allowing access to anything but the files they should be allowed to access?

It also is able to delete and modify or create files in C:\ and its logged on as restricted user.

How is this possible? Safe_mode=on and disable_features has many things disabled including exec,system,dl(), etc...

How can I stop this? I need urgent response to this please, as it's a serious problem.


  Forum Editor 17:39 23 Sep 2004
  Gaz 25 17:44 23 Sep 2004

adding the following code to apache under the main server base directory :

<Directory "c:\wwwfiles\www\">
php_admin_value open_basedir "c:\wwwfiles\www\"

... works a treat.

Now upload script says: Directory: C:\

"c:\" can not be read.

  Forum Editor 18:10 23 Sep 2004

I know how worrying this must have been.

  Gaz 25 18:14 23 Sep 2004

Especially, it was only alerted to admin staff just about half an hour ago. Someone reported it to me, and since I administer the server, I should have known, but with it being on intranet I didnt set openbase_dir.

All working and secure now anyway.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

iPhone X review

How to find a font: Discover the name of a typeface with these apps

The best iPhone for 2017

Comment créer un compte PayPal pour payer en ligne ?