Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have LAMP installed in my server and I use virtualhosts to map domains to subdirectories. I need to allow my customers to upload files (including php) to their server using FTP.
The problem is that a customer using a domain xxx.com.br uploaded a file test.php and executed it like:
xxx.com.br/test.php
The content of test.php if file_put_contents("../../xxx.txt","teste") and it worked! The file xxx.txt was created 2 levels above his domain folder! How do I prevent this from happening?
Don't give the PHP process access to directories it isn't meant to reach.
That's kind of the point of the whole permission system.
In Linux, PHP will generally run as its own user, just make sure that user doesn't have read or write permission to any files you don't want exposed.
For this purpose exists open_basedir configuration directive. More information about it for example here.
Moreover it is good to use FastCGI which allows each script to be run under its owner. More information about it for example here.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
so we got hacked and from that we raised a question based on our logs. Can a hacker start uploading a file at one point and specify when should it stop uploading. I.e. we got a HIT from an IP address at 06:50:52 2020-06-19 and the file uploaded later on 2020-06-20. The file is 2Mb so no way it actually took a full day to upload or does it depend on PHP configuration. Also there is no indication on when the file was uploaded only the first HIT was logged.
The client may influence the speed the file is being uploaded. It depends on the configuration of your server whether you timeout such long lasting requests or not. See the slow loris attack example to see how things may work.
you have to find which vulnerabity got exploited. It can be anything from a reverse shell to the webserver gained throu some php vulnerable scripts ...to some WordPress bug. Look thru all the logs
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I am using hosting provided by 000webhost.com.
Root directory is: public_html
I set it's file attributes to 700 by using FileZilla ftp.
Also I set individual file permissions to 600.
public_html directory has only one file which is index.html.
Now even though I have set puclic permission to zero as evident from right-most zero in both 600 and 700. Still I am able to view file index.html by using web browser here is the link. Why is that? I thought last zero in 600 or 700 meant public would not be able to view file, what is happening now then?
Now, I think this is because the file is readable by your Apache user and it is Apache that is delivering the files to the browser. What is the ownership of the file/folder. Can you put these secure files outside the web root?
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
When making a php web site in dream weaver, does the site have to have htdocs folder ?
The problem I have is I have a domain www.whatever.com.
Once I created the index.php in dreamweaver, I hit the put button and it uploads just fine.
So the connection to my website from dreamweaver works.
But when I got to the website www.whatever.com , it shows an apache test page where I want the index.php to show.
The answer to your first question is "no". Every website functions differently and having a htdocs folder is not a requirement by any means.
I suggest trying to upload index.php to the root directory (folder). The "root" is basically the top level folder that you have access to on your hosting account. Then, if that doesn't work, keep trying folders until it does work. As other people suggested, the correct folder can be called "public", "public_html", "www" or something else.
Just be sure you remember where it is located for for future reference. And don't leave a bunch of index.php files scattered in various locations on your server or it could create problems on your website in the future.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I have some files in directory and sub directory in an open HTTP site
For Example:
http://example.com/directory/file1
http://example.com/directory/file2
http://example.com/directory/sub-directory/file1
http://example.com/directory/sub-directory/file2
http://example.com/directory/sub-directory2/file1
http://example.com/directory/sub-directory2/file2
I want to copy the full directory to my server.
I don't have SSH or FTP access to the http://example.com
I have tried transloader script which grabs only one file every time.
I need to copy the full directory exactly as is on the HTTP server to my new server.
Thanks
Use wget or curl:
wget -r --no-parent mysite.com
You are unable to do this. You can grab the content of the visual layer/GUI that the site provides to you, but you can not grab any of the "behind the scenes" pages which the site has. You wont be able to get any of the site which is doing the back end processing to create what you see on the front end.
The only way to do do this is if you have access to the directories on the site. By this, I mean when you go to the base directory, such as example.com/test/, it just gives a list of all possible files in that directory. As it stands though, most sites protect against it, therefore unless you have direct access, this is not doable as it would be entirely insecure and would create many headaches for development and privacy.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
If i write a file into /var/test, how can i access it through the website?
Because from having a look at the directories, the file needs to reside in /var/www/html/ so i can access it through the url.
for example if i were to write into /var/www/html/directory/file.txt all i'd need to do to access it is visit the following url:
www.example.com/directory/file.txt. But i'm not sure how to do this when writing to /var/test/file.txt.
Thanks to anyone who can help.
You can't access it via the website, unless you configure the server to allow it. Which is a good thing so your web server doesn't expose all of your files to the internet.
See the Documentroot and Alias Directives in the Web server configuration (assuming you're running apache).
this is a web-server setting, for apache see http://httpd.apache.org/docs/2.2/urlmapping.html