(working) open_basedir security for (addon) domains.
...they say its a new feature, but I see it as a bug.
In the current state, open_basedir tweak seems to be useless as it is being set to the users folder (/home/usersfolder/) and not to the DocumentRoot of the domain folder (/home/usersfolder/public_html).
This means that a script from /public_html can do anything with any file from the users folder.With Addon Domains, the situation is even worse.If we have an addon domain like "http://www.othersite.com" which points to "/home/usersfolder/www_othersite", any script from "http://www.othersite.com" can navigate without any restriction to any file from user folder; does not get limited to it's DocumentRoot as it should;
Basically... for www.othersite.com addon domain, in httpd.conf we get this:
- php5_admin_value open_basedir "/home/usersfolder:/usr/lib/php:/usr/local/lib/php:/tmp"
instead of this:
- php5_admin_value open_basedir "/home/usersfolder/www_othersite:/usr/lib/php:/usr/local/lib/php:/tmp"
Details here: http://forums.cpanel.net/f5/open_basedir-not-working-addon-domains-447591.html
Please vote for this as it is a security concern.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
I hope Cpanel team may add open_basedir to all PHP handlers on Cpanel, because it's a major security issue when this option is not set, if a hacker could upload a PHP shell, he can browse any files above public_html for the user and also may outside files like /etc/passwd or /proc
I hope Cpanel team may add open_basedir to all PHP handlers on Cpanel, because it's a major security issue when this option is not set, if a hacker could upload a PHP shell, he can browse any files above public_html for the user and also may outside files like /etc/passwd or /proc
I agree, cPanel should fix this. Im running SuPHP and this is the example information hacker can discover about the server:
https://forums.cpanel.net/threads/interesting-data-cpanel-users-know-about-the-server.583502/
And here is some temporary work around that ma work until cPanel fix this issue:
https://forums.cpanel.net/threads/suphp-and-open_basedir-together-for-improved-security.448482/
I agree, cPanel should fix this. Im running SuPHP and this is the example information hacker can discover about the server:
https://forums.cpanel.net/threads/interesting-data-cpanel-users-know-about-the-server.583502/
And here is some temporary work around that ma work until cPanel fix this issue:
https://forums.cpanel.net/threads/suphp-and-open_basedir-together-for-improved-security.448482/
Replies have been locked on this page!