Security Problem

Discussion in 'Installation/Configuration' started by Cracknel, Nov 15, 2008.

  1. _X_

    _X_ New Member

  2. Cracknel

    Cracknel New Member

    I've managed to make a php script (c99 shell) show my apache config file:

    cat echo /etc/apache2/apache2.conf

    i can't change directories, but i can guess paths. still more work to do.

    i'm going to check suphp tomorrow because it's 1:30am. from this mod's description looks like it could solve the problem.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    @_X_, please try to remove the allowoveride all, this should not be nescessary anymore now and allows to override all other security settings.

    @cracknel: and you are 100% sure that you configured it exactly as x described? The option you described does not work and thats why it is not integrated in ispconfig.
  4. _X_

    _X_ New Member

  5. sonoracomm

    sonoracomm New Member

    What about Joomla 1.5?

    Is this needed for Joomla 1.5 or need any changes?

    Thanks much,
  6. _X_

    _X_ New Member

    htaccess looks different for joomla 1.5, but you got it in installation so use that one.

    about Apache Directives (Optional): -change webXXX with your configuration

    <Directory "/var/www/webXXX/web">
    Options FollowSymLinks - if you put this here you can comment out line in htaccess
    php_admin_flag register_globals Off - dissables Register Globals - during installation you will have red On/Off so change it so it becomes green as i remember
    php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open" - dissables some php functions that are not used by majority of extensions
    php_admin_flag allow_url_fopen Off - dont know about this one
    php_admin_flag magic_quotes_gpc On - Magic Quotes option
    php_admin_value session.save_path "/var/www/webXXX/phptmp/" - this sets session folder inside open_basedir
    php_admin_value open_basedir "/var/www/webXXX/"

    if someone can explain this in more details please do so.

    I dont know if joomla 1.5 works with PHP safe mode enabled.
  7. _X_

    _X_ New Member

  8. sonoracomm

    sonoracomm New Member

    Thanks for the info.

    I did not enable Safe Mode for the Joomla 1.5 site, but I did add the Apache Directives as listed. I didn't enable Safe Mode because the Joomla installer called for it to be off and since I don't know Joomla that well and, well, because I'm basically chicken.

    It seems to be working without problems. I'll keep a lookout for anything broken, such as Joomla add-ons.

    Thanks vary much for helping me secure our ISPConfig server.

  9. _X_

    _X_ New Member

    only real problem u can have with this line:
    php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"

    it disables php functions so if your extension uses one of those you can have problems. on the other hand if you do have extension that uses these functions it can be considered to be dangerous extension so you should search for another extension that does the same job without compromiting security.
  10. sonoracomm

    sonoracomm New Member

    That sounds like good advice.

    Thanks again!


Share This Page