PHP secuirty issues
Posted: 08. August 2004 19:21
I have a Windows 2000 Server box running min-xampp, it works like a charm. I have ServU ftp on the machine it limits the user to their home directory and no where else. I have a directory in the mini-xampp folder called users. Our billing system automatically creates the users folder using their 4 digit customer number for the users directory.
So if a user was customer # 1001, then they would be access on our site
http://members.domain.com/~1001/
So far everythings fine, but I have virtual hosts on the box using their folder located under users for when they want to have www.mydomain.com, which works great well. So user 1001 can also be www.mydomain.com using the same folder. Most users just have the free non virtual host setup.
I'm real happy with the setup, but I just realized (duh!) that anyone I give php access to can view anything on the hard drive.
Can I disable PHP on Apache main server (if thats the correct usage) and assign it only to the virtual hosts I want to have it.
Other words I don't want our dialup users who get free web sites to have php, but I do want our virtual host users to have PHP, that limits access to PHP to a very select few.
And/Or
Is there a way to tell PHP not to access anything outside my c:\minixampp\users directory?
I still would want to disable PHP for everyone but the virtual hosts if possible.
Thanks in advance for any help anyone can give, I searched here and found nothing related to this in the english forum areas.
So if a user was customer # 1001, then they would be access on our site
http://members.domain.com/~1001/
So far everythings fine, but I have virtual hosts on the box using their folder located under users for when they want to have www.mydomain.com, which works great well. So user 1001 can also be www.mydomain.com using the same folder. Most users just have the free non virtual host setup.
I'm real happy with the setup, but I just realized (duh!) that anyone I give php access to can view anything on the hard drive.
Can I disable PHP on Apache main server (if thats the correct usage) and assign it only to the virtual hosts I want to have it.
Other words I don't want our dialup users who get free web sites to have php, but I do want our virtual host users to have PHP, that limits access to PHP to a very select few.
And/Or
Is there a way to tell PHP not to access anything outside my c:\minixampp\users directory?
I still would want to disable PHP for everyone but the virtual hosts if possible.
Thanks in advance for any help anyone can give, I searched here and found nothing related to this in the english forum areas.