PHP secuirty issues

Problems with the Windows version of XAMPP, questions, comments, and anything related.

PHP secuirty issues

Postby tchamberlain » 08. August 2004 19:21

I have a Windows 2000 Server box running min-xampp, it works like a charm. I have ServU ftp on the machine it limits the user to their home directory and no where else. I have a directory in the mini-xampp folder called users. Our billing system automatically creates the users folder using their 4 digit customer number for the users directory.


So if a user was customer # 1001, then they would be access on our site

http://members.domain.com/~1001/

So far everythings fine, but I have virtual hosts on the box using their folder located under users for when they want to have www.mydomain.com, which works great well. So user 1001 can also be www.mydomain.com using the same folder. Most users just have the free non virtual host setup.

I'm real happy with the setup, but I just realized (duh!) that anyone I give php access to can view anything on the hard drive.

Can I disable PHP on Apache main server (if thats the correct usage) and assign it only to the virtual hosts I want to have it.

Other words I don't want our dialup users who get free web sites to have php, but I do want our virtual host users to have PHP, that limits access to PHP to a very select few.

And/Or

Is there a way to tell PHP not to access anything outside my c:\minixampp\users directory?

I still would want to disable PHP for everyone but the virtual hosts if possible.

Thanks in advance for any help anyone can give, I searched here and found nothing related to this in the english forum areas.
tchamberlain
 
Posts: 3
Joined: 08. August 2004 19:05

Postby tchamberlain » 08. August 2004 19:44

Ok I figured out how to restrict it to only virtual hosts and on a per host basis and thought I would post it incase anyone else ever needed this.

I commented out the addtype application/x-httpd-php line in httpd.conf


And copied it to each of the virtual hosts I wanted to have php ability, uncommented ofcourse.

Now all I have to do is figure out how to restirct PHP to a certain directory on the hard driver in my case the main users directory and sub directories.
tchamberlain
 
Posts: 3
Joined: 08. August 2004 19:05

Postby Wiedmann » 08. August 2004 21:30

Now all I have to do is figure out how to restirct PHP to a certain directory on the hard driver in my case the main users directory and sub directories.

http://de.php.net/manual/en/features.sa ... en-basedir
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Postby tchamberlain » 08. August 2004 22:07

Thank you so much for that. I was able to add the correct setting per vhost to limit them to that directory and subdirectories below it.

In my example for user 1001 I added this in the vhost area for them

php_admin_value open_basedir "c:/minixampp/user/1001/"


Again thanks and I feel a lot more secure knowing users can not roam the system and read and write anywhere they want to.
tchamberlain
 
Posts: 3
Joined: 08. August 2004 19:05


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 36 guests