My problem is that this is possible:
Code: Select all
$handle = opendir("C:/")
$file = readdir($handle)
Using those functions anyone can list any folder that the user running Apache can. In this case, it means that people actually can list: C:\ and see (but not enter) for example:
C:\pagefile.sys << they can, however, read this file (if it weren't for the read-lock that the OS has applied to it.)
To add: There is also functions to write files, edit files, delete files, and the Apache-user has some demands on writing to certain folders too - see where I'm going?
How do I lock down users to their own directories, without damaging their scripts (eg. forums)?
User 'moron' has access to C:\www\apacheusers\moron through FTP.
User 'moron's URL is http://www.something.com/~moron
How do I lock down 'moron' so that he only can touch his own files in his folder C:\www\apacheusers\moron and subdirectories?
Have in mind that there is not only 'moron' on the webserver, but also some other people who shouldn't
be able to jump from their directories.
Thanks for any help!