Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
Over the past, i've seen a cpanel account (with addon domains) getting infected from an outdated wordpress installation and spreading itself to other domains since all addon domains were included under public_html folder.
ie.
/home/user/public_html/domain1.com
/home/user/public_html/domain2.com
I know that this can be prevented by purchasing a reseller cpanel account and have seperated cpanel accounts for every domain, ie:
domain1: /home/user1/public_html/
domain2: /home/user2/public_html/
I was wondering if a php infection can be spread when the directory tree is as follows:
/home/user/domain1.com/public_html/
/home/user/domain2.com/public_html/
both domains got the same user but they are not sharing the same public_html folder, however they are sharing the same user.
Can an infection from /home/user/domain1.com/public_html/ take advantage of the user permissions and files ownage to be spreaded/copied to /home/user/domain2.com/public_html/
??
Yes, there only thing special about the public_html directory is that is the root directory the web server is using to serve files from. But as far as the file system on the server is concerned, it is all the same.
The problem is not with public_html, but rather file and directory permissions. A file run inside of the "public_html" directory can still access files in it's parents directory
If the server that is hosting cpanel gives you the ability to remotely add files to a directory inside of /home/user1, then your PHP files will also have access to it.
With PHP you can disable built in functions to chmod, and the ability to run shell commands which will prevent a PHP script from changing the permissions of files/directories, which may be worth looking at. But in general it's better to isolate each site from each other to limit potential security vulnerabilities
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
The hosting I am using allows protecting files with username and password. Will it "break" something if I put password on a file that is included or required in many php pages of my site?
Assuming this is HTTP authentication, this provides no password protection on the filesystem so including files from the filesystem will not be affected. This also does not prevent files from being read from the filesystem by other users if they have the permissions to do so.
This will only display a password prompt to users who access the file path from the web server (http://)
If you actually have private files that you wish only to be included from your PHP script, then you can keep them out of the public_html (or web server root directory) completely.
for example:
app/private.php
public_html/index.php
Inside index.php:
<?php
include "../app/private.php";
/* Other code */
?>
As app is outside the public_html directory, it will not be able to be served by the web server, but you can still include it from the filesystem.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
In which diretory should script files for cronjobs be saved? Available to the public inside var/www/html or better inside var/www/files or ...?
Re-posting comments from above, for easier reference and clarity:
Why would you want to make cronjob script files available to the public? If you're distributing them, var/www/* would be a fine place to put them. If you're intending to run them on your server, put them somewhere that isn't public facing, like your /home directory
Cron only needs its scripts to be in a directory it can access. While it can definitely access /var/www/, so can (potentially) the public; it depends on your configuration. If you're running Apache as your web-server, then accessibility of any directory under the web root (usually, and likely in this case, /var/www) is configured by .htaccess files (or in a Directory block in your main server config). By default, all sub-directories and files are accessible. If you don't care about other people seeing your cron scripts, go ahead and put it in var/www. Otherwise, put them somewhere else or change your server configuration
The best way to do that you want, is create a new directory dedicated to save the scripts, for example, /var/www/html/scripts
In that way, people is able to see the the sctipts and for crontab schedule too.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have 2 Linux boxes with same version installed. The first one is used to host a apache/linux based web site and the second one is used to host user supplied files.
The webserver box can access the file server box using an internal IP address. When user tries to upload a file using my php web site, I need to save this file in a specific folder in the file server box.
One option I found until now is to use PHP's FTP functions. Are there any other/better options to access folders/files that reside on a file server box from the web server box?
Thanks for any help!
- Jaideep
Configuring an NFS server on the file server, and mounting the exported directory on your web server, will make programming easier for you, because you can access the directory just as if it was local.
In an environment where you don't have professional system administration, i'd recommend against the NFS version however, because NFS needs some planning regarding synchronized user ids, and it doesn't always recover gracefully from a crash (although it should, in theory). From that point of view, FTP might be your best option.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I'm concerned about security. I need to allow a specific group of users to upload documents and for all other users to download them.
Where or what folder is the best place to allow this to happen? I read that outside the root of the site is best but then I've read conflicting posts.
Thanks for any help.
It all depends what you need to be able to do with them once they are uploaded.
Outside the web root is definitely best but if you then need to be able to show those files on webpages, you will need to write a handler or just save them inside the webroot.
Ideally you should never allow untrusted users to upload any file to a server and should certainly never allow untrusted users to upload files into a webroot as they could then use your server to spread malware or upload files that can be executed on the server and take control of your server or site.
You should always ensure that the minimum number of file types possible are allowed for upload so if a user is uploading an image, make sure they can only upload images
I generally save files to a folder outside the web root (note, not just outside my site root, but outside of the actual web root directory). You only asked for advice on where best to store the files, but presumably you are taking other steps to make the uploaded files secure (like, changing the name of the file, changing the permissions on the file, etc). Good luck!
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have the following problem:
The website I made for a friend has been infected with malware. When I tried to clean it, by replacing files that I found to be different to the ones I uploaded, with my original files, after a short time, the files were different again. The file permissions are all 644, and the folders 755. It is as if the one who infected the files has access to change them whenever I change them back. Can anyone help me since I am very new to this kind of problems?
First things first: report this to your webhost immediately! Secondly change all of your relevant passwords!
That being done, there are a few possible causes:
Your parent webhost has been compromised, in which case there is nothing you can do except move to a better host.
Your website contains a vulnerability that is being picked-up by kiddies with their vuln-scanners. Be sure to audit your code to ensure that no user action can result in your website's filesystem being touched inappropriately; also check for SQL injection avenues.
Your website uses a widely-distributed application, such as WordPress, that has not been patched - this is a major problem.
Your own PC has been compromised and ne'erdowells have used a keylogger or other software to discover your FTP or SSH account details, and are abusing your website. Run a local scan and audit everything to ensure your bank account is being raided either.
This isn't a code-related problem. This isn't the place for your question.
But: It's likely that a program is running on your server and re-infecting the files. I'd recommend either taking it to a professional malware removal service, or (my preference) burning the server in a fire and allowing a new server to rise from the ashes. Then install an AV suite on the new server.