0

When you add a new domain in some hostings (i.e. 000webhost or some other hostings, which DOESNT USE cPanel) an entirely separate public_html is created (with a separate FTP login and etc..).

But with cPanel, all "addon domains" are created under the same account and same public_html folder. So, with PHP programming, from addon domain "account" I can easily access any other domains' FTP folders.

Is there a way to add SEPARATE DOMAIN ACCOUNT in cpanel? or restrict PHP from accessing higher directories? (This thread states there is no solution inside cPanel.)

Some people say that solution is to set open_basedir and safe_mode inside php.ini and http.conf. Actually, that can be overridden too by hacker. So, are MULTI-Account hosting (like the above list) or reseller hosting, the only solutions?

T.Todua
  • 2,677
  • 4
  • 19
  • 28
  • 1
    "cPanel" and "secure" never belong in the same sentence. Never. – André Borie Mar 05 '17 at 15:36
  • 1
    In fact, any "shared" hosting is inherently insecure, and more often than not administered by idiots. – André Borie Mar 05 '17 at 15:36
  • @AndréBorie Please, write a complete, reviewed answer, it will help much and I may check that as accepted answer, if you give good reasons and arguments to let people know what you know.. – T.Todua Mar 05 '17 at 18:05

1 Answers1

1

Any server controlled by cPanel (or similar) is insecure. cPanel is a huge pile of internet-facing code running as root that appears to work while containing tons of yet to be found exploits. Chances are your server is already compromised thanks to one of those exploits, and given that cPanel hides away all the tools you'd use to check for compromise (server logs, etc) you have no way of knowing until it's too late (when a clueless customer calls you because they hosted an e-commerce site on your server and got their credit card numbers stolen).

Now, even if we assume cPanel itself is secure, "shared hosting" isn't. Even if file permissions are set up correctly, all it takes is a single kernel exploit to get root and then break out of your own account and go poking around other account's files.

The proper way to do "shared hosting" is to either not execute any code at all (purely static hosting is fine - all CDNs are essentially just that and they seem to be doing fine), or run every customer's code in a VM or even a dedicated machine (to protect against hypervisor exploits).

Of course, this VM-based solution isn't something your average cPanel (or equivalent) would do - it would require some custom code to create and tear down the VMs and then manage URL routing (the idea is to host all static content on the host, and have that host act as reverse-proxy to app servers in the VMs for any executable code).

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • Excellent answer. Can you recommend me some such good shared hostings(secured) you know? Ufortunately you are right... A static hosting (to be safe) or dynamic ( and always to be in a fear....:) – T.Todua Apr 16 '17 at 11:10
  • 1
    For static hosting check out Github pages. It's completely free as well. – André Borie Apr 16 '17 at 13:41
  • No, i use WordPress :( – T.Todua Apr 16 '17 at 15:10
  • 1
    That's an even bigger problem than cPanel if you asked me. Run away before it's too late. – André Borie Apr 16 '17 at 15:53
  • Andre, please, lead me into details what you mean about WordPress? Can you give me some thoughts/references about that, why you are saying that? thanks in advance! – T.Todua Apr 16 '17 at 16:30
  • 1
    Endless vulnerabilities, one of the worst codebases I've ever seen (goes against pretty much all [best practices](http://www.phptherightway.com), legacy code, basically a huge mess), a toxic and stupid ecosystem of so-called "developers" that can't even make an SQL query without exposing themselves to injection, and to top it off a pretty awful language (though it's improving, and with a proper framework PHP is almost bearable). – André Borie Apr 16 '17 at 17:15
  • Can you recommend other secure CMS platforms that I can use easily , like I do with WP? – T.Todua Apr 17 '17 at 08:14
  • 1
    Check out Ghost. – André Borie Apr 17 '17 at 13:05