Paper Lantern for cPanel accounts is being retired this year. Find out more »
cPanel & WHM Version 102 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

(working) open_basedir security for (addon) domains.

likudio shared this idea 7 years ago
Open Discussion

...they say its a new feature, but I see it as a bug.

In the current state, open_basedir tweak seems to be useless as it is being set to the users folder (/home/usersfolder/) and not to the DocumentRoot of the domain folder (/home/usersfolder/public_html).

This means that a script from /public_html can do anything with any file from the users folder.With Addon Domains, the situation is even worse.If we have an addon domain like "" which points to "/home/usersfolder/www_othersite", any script from "" can navigate without any restriction to any file from user folder; does not get limited to it's DocumentRoot as it should;

Basically... for addon domain, in httpd.conf we get this:

  1. php5_admin_value open_basedir "/home/usersfolder:/usr/lib/php:/usr/local/lib/php:/tmp"

instead of this:

  1. php5_admin_value open_basedir "/home/usersfolder/www_othersite:/usr/lib/php:/usr/local/lib/php:/tmp"

Details here:

Please vote for this as it is a security concern.

Replies (2)


I hope Cpanel team may add open_basedir to all PHP handlers on Cpanel, because it's a major security issue when this option is not set, if a hacker could upload a PHP shell, he can browse any files above public_html for the user and also may outside files like /etc/passwd or /proc


I agree, cPanel should fix this. Im running SuPHP and this is the example information hacker can discover about the server:

And here is some temporary work around that ma work until cPanel fix this issue:

Leave a Comment
Attach a file