I located a php file browser on a customers web site. This browser allowed anyone to browse through the entire file system of the hosting server. Standard permissions applied, and it would seem nothing bad has happened. My concern is that if a user has something like this, or their site allowed someone to upload something like this, it could put the whole server at risk. I understand there is a chroot for SSH, would it be a good idea here? If so, can I implement it on an active server?
1) Ensure that you hardened your php install by disabling functions like exec, passthru etc. are disabled in the php.ini used for cgi/fcgi and php fpm. 2) Ensure that suexec is enabled in the website settings. 3) Ensure that you use php mode php-fcgi or php-fpm.