cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

(working) open_basedir security for (addon) domains.

likudio shared this idea 6 years ago
Open Discussion

...they say its a new feature, but I see it as a bug.

In the current state, open_basedir tweak seems to be useless as it is being set to the users folder (/home/usersfolder/) and not to the DocumentRoot of the domain folder (/home/usersfolder/public_html).

This means that a script from /public_html can do anything with any file from the users folder.With Addon Domains, the situation is even worse.If we have an addon domain like "http://www.othersite.com"; which points to "/home/usersfolder/www_othersite", any script from "http://www.othersite.com"; can navigate without any restriction to any file from user folder; does not get limited to it's DocumentRoot as it should;


Basically... for www.othersite.com addon domain, in httpd.conf we get this:

  1. php5_admin_value open_basedir "/home/usersfolder:/usr/lib/php:/usr/local/lib/php:/tmp"

instead of this:

  1. php5_admin_value open_basedir "/home/usersfolder/www_othersite:/usr/lib/php:/usr/local/lib/php:/tmp"


Details here: http://forums.cpanel.net/f5/open_basedir-not-working-addon-domains-447591.html

Please vote for this as it is a security concern.

Comments (2)

photo
2

I hope Cpanel team may add open_basedir to all PHP handlers on Cpanel, because it's a major security issue when this option is not set, if a hacker could upload a PHP shell, he can browse any files above public_html for the user and also may outside files like /etc/passwd or /proc

photo
1

I agree, cPanel should fix this. Im running SuPHP and this is the example information hacker can discover about the server:

https://forums.cpanel.net/threads/interesting-data-cpanel-users-know-about-the-server.583502/


And here is some temporary work around that ma work until cPanel fix this issue:

https://forums.cpanel.net/threads/suphp-and-open_basedir-together-for-improved-security.448482/

Leave a Comment
 
Attach a file