When using the following PHPcode, I could access literally any file I want... I don't suppose it's supposed to do that... PHP: echo file_get_contents("/etc/<ANYFILE>");
What would be the cause for php.ini to allow this? Which setting? PHPmode is on Fast-CGI. The options CGI scripts, SSI (CGI)and SuEXEC are all disabled
If you use fastcgi, you should always enable suexec as this ensures that the php scripts run uner the user of the website. Also you should set the open_basedir path in the cgi php.ini to /var/www and then disable function like exec, passthru and system in the php.ini
Of course it affects some php scripts, especially backdoors but not any common php scripts like cms sytems as they dont call extrnal shell scripts.
After I did the above, some website suddenly stopped working and I got a "No input file specified." line when visiting them.
