Urgent PHP security problem on Intranet server...

  Gaz 25 17:25 23 Sep 2004

I am running apache with php loaded as module on a local intranet, and someone has uploaded a upload script and by changing c:\wwwfiles\www\ to: c:\ they have gained ROOT access.

How can I stop PHP from allowing access to anything but the files they should be allowed to access?

It also is able to delete and modify or create files in C:\ and its logged on as restricted user.

How is this possible? Safe_mode=on and disable_features has many things disabled including exec,system,dl(), etc...

How can I stop this? I need urgent response to this please, as it's a serious problem.


  Forum Editor 17:39 23 Sep 2004
  Gaz 25 17:44 23 Sep 2004

adding the following code to apache under the main server base directory :

<Directory "c:\wwwfiles\www\">
php_admin_value open_basedir "c:\wwwfiles\www\"

... works a treat.

Now upload script says: Directory: C:\

"c:\" can not be read.

  Forum Editor 18:10 23 Sep 2004

I know how worrying this must have been.

  Gaz 25 18:14 23 Sep 2004

Especially, it was only alerted to admin staff just about half an hour ago. Someone reported it to me, and since I administer the server, I should have known, but with it being on intranet I didnt set openbase_dir.

All working and secure now anyway.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Best phone camera 2017

Stunning new film posters by Hattie Stewart, Joe Cruz & more

iPad Pro 10.5in (2017) review

28 astuces pour profiter au mieux de votre iPhone