Windows 2k + Apache 2.x + PHP 4.x + Security = True?

Forum for you who has PHP installation issues

Moderators: macek, egami, gesf

MainGear
New php-forum User
New php-forum User
Posts: 2
Joined: Mon Mar 28, 2005 12:54 am
Location: Sollentuna, Stockholm, Sweden

Windows 2k + Apache 2.x + PHP 4.x + Security = True?

Postby MainGear » Mon Mar 28, 2005 1:15 am

Okey, I know that Apache + PHP runs best out of linux, but since my skills in linux is quite limited I wish to get as much out of Win2k instead.

As stated in the subject, this is my setup:
- Apache 2 (C:\www\Apache2\)
- PHP 4 (C:\www\php\) (CGI since Apache complains trying the module)
- Windows 2000 Pro

I've set up an account for Apache to run as a service with which I've limited filesystem access to as much as I can, but still I'm not happy. As far as I've come is that PHP can list all folder contents down its path, that means that it can list:
C:\
C:\www\
C:\www\*

I wish that there were a way to limit PHP-scripts access on the system by only changing in php.ini. I've tried with the different path-settings such as basedir and userdir (I don't remember the exact names), but I end up with "No input file specified." while browsing the different php-pages.

If You'd like to help me out on this one, then I'd be really greatful for it!

(I'm sorry if my english isn't the best, I'm from Sweden.)

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Mon Mar 28, 2005 7:03 am

I would actally make it so that webpages are on a separate harddisk..
and what do you mean that php can list all the files on its path?

you mean listing files outside your directory root(several levels higher) or what?

Föresten -- om du lägger till mig på msn så kan ajg hjälpa dig lite bättre ;-)

User avatar
ruturajv
php-forum Super User
php-forum Super User
Posts: 1280
Joined: Sat Mar 22, 2003 9:42 am
Location: Mumbai, India
Contact:

Postby ruturajv » Mon Mar 28, 2005 9:52 pm

do you want directory listing by Apache or by PHP ?
to Enable Directory Listing by Apache
check the httpd.conf file
and
in

Code: Select all

<Directory c:/pro.../htdocs>
Options +Indexes
...

</Directory>

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Tue Mar 29, 2005 12:04 am

The problem is ruturajv that this would be a shared host -- and he doesnt like that everyone else may have access to the whole server (or harddrive) throught PHP... I am actually a bit confused as this should be any problem due to the read-only rights for PHP on a server outside its root :S

MainGear
New php-forum User
New php-forum User
Posts: 2
Joined: Mon Mar 28, 2005 12:54 am
Location: Sollentuna, Stockholm, Sweden

Postby MainGear » Tue Mar 29, 2005 2:36 am

My problem is that this is possible:

Code: Select all

$handle = opendir("C:/")
$file = readdir($handle)
closedir($handle)


Using those functions anyone can list any folder that the user running Apache can. In this case, it means that people actually can list: C:\ and see (but not enter) for example:
C:\program
C:\winnt
C:\pagefile.sys << they can, however, read this file (if it weren't for the read-lock that the OS has applied to it.)

To add: There is also functions to write files, edit files, delete files, and the Apache-user has some demands on writing to certain folders too - see where I'm going?

How do I lock down users to their own directories, without damaging their scripts (eg. forums)?

Example:
User 'moron' has access to C:\www\apacheusers\moron through FTP.
User 'moron's URL is http://www.something.com/~moron

How do I lock down 'moron' so that he only can touch his own files in his folder C:\www\apacheusers\moron and subdirectories?

Have in mind that there is not only 'moron' on the webserver, but also some other people who shouldn't be able to jump from their directories.

Thanks for any help!


Return to “PHP Installation”

Who is online

Users browsing this forum: Bing [Bot], Yahoo [Bot] and 1 guest