i installed ispconfig and running very good. but i tested security system with c99shell.php security test script. but i can access all directories. for example / and others. but this must be only access this directory /var/www/web1/. what is my problem please help. thank you. note: i researched may be this problem from open_basedir php.ini. or web1 apache conf
yes when i enabled safe mod this code added php_admin_flag safe_mode On php_admin_value open_basedir /var/www/web1/ php_admin_value file_uploads 1 php_admin_value upload_tmp_dir /var/www/web1/phptmp/ php_admin_value session.save_path /var/www/web/phptmp/ but you must add this code when safe mod disabled. because user not jailed in your directory. php_admin_value open_basedir /var/www/web1/ and joomla not support safe_mod. i haven't knowledge suphp. i must learn suphp. thank you. i manually edited /root/ispconfig/scripts/lib/config.lib.php for when php safe mod disabled.and enable open_basedir.
I think he is right. But I'd guess here's a bit more needed. At one side to either drop open_basedir completely or the much better solution, to have a textfield where an admin may add specific path's for a web, where this web may get access too. E.g. when using pear's php_ajax package, which needs libraries from the general pear store on the server (which is placed differently depending on the used distro).
i edited config.lib.php if($web["web_php_safe_mode"]){ $php .= "\nphp_admin_flag safe_mode On php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/ php_admin_value file_uploads 1 php_admin_value upload_tmp_dir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/ php_admin_value session.save_path ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/"; } else { $php .= "\nphp_admin_flag safe_mode Off php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"].""; } } } else { $php = "\nphp_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"].""; } i added two times php_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]." but all domains added php_admin_value open_basedir. i dont want one domain add this code. how can i do this ? i want all domains added except only one domain. but my code added all domains.
i am sending a php security control program. i can access all the other hosting and folders please help. and please test it is very bad sacurity risk. for example i am open a host customer and this customer access all the other hosting it is very dangerous.
