[X-Unix] Shared hosting with apache and php, security concerns

[Stroller]

On Mar 18, 2004, at 6:26 am, Scott Haneda wrote:
> ...
> The trouble I am having is I am able to read outside the current 
> directly
> and traverse the entire files system with php using its abilities to 
> read
> files.  I can not read files that apache does not have permission to 
> read,
> but those that it does, I can.  For example, if I were to create a php 
> file
> reading tool and tell it to go up one directory from my directory that 
> holds
> all my web files, I would be in my root folder, up one more, and I 
> would see
> a list of directories that were named the domain names of many other 
> sites I
> am serving, if I were to jump into one of those sites and look around, 
> I
> could locate say, some file called conf.incl.php and in that I would 
> see
> some connection data to a database, from there, I could delete data 
> from the
> database.

I'm not sure what you mean by a "php file reading tool".

<http://httpd.apache.org/docs/mod/mod_autoindex.html>

Summary
The index of a directory can come from one of two sources:
- A file written by the user, typically called  index.html. The 
DirectoryIndex  directive sets the name of this file. This is 
controlled by  mod_dir.
- Otherwise, a listing generated by the server. The other  directives 
control the format of this listing. The AddIcon, AddIconByEncoding and 
AddIconByType are used to set a  list of icons to display for various 
file types; for each  file listed, the first icon listed that matches 
the file is  displayed. These are controlled by  mod_autoindex.
- The two functions are separated so that you can completely remove (or 
replace) automatic index generation should you want  to.

  Automatic index generation is enabled with using  Options +Indexes. 
See the Options directive for  more details.

If you haven't set -Indexes in your Apache configuration files, then 
you should do so.

HTH,

Stroller.