2

In a shared hosting I use (where I don't have access to httpd.conf files) I want PHP files in "MyTargetFolder" to not have ability to access anything in upper directories.

It needs some configuration like OPEN_BASEDIR, SAFE_MODE, passthru,readfile,exec,system,shell_exec,escapeshellarg,escapeshellcmd,proc_close...

But here I have found OPEN_BASEDIR is said to be not a good solution. Also, SAFE_MODE is deprecated. What can be a solution?

Note: question was for "shared" hosting, not VPS or above.

T.Todua
  • 2,677
  • 4
  • 19
  • 28

1 Answers1

2

If I understand you correctly, you are not trying to be a shared hosting provider, but you are using shared hosting, and want to restrict access for files inside one specific folder.

In that case, open_basedir would do exactly what you want.

If you are allowed to use .htaccess files, just create one in MyTargetFolder and put this line in it:

php_value open_basedir /var/www/

If you are not allowed to use .htaccess files, you would need to set the setting in every one of your PHP files inside MyTargetFolder:

ini_set("open_basedir", "/var/www/");

If you now have a PHP file in the folder with eg this line:

echo file_get_contents($_GET['x']);

A call to:

?x=../../../../../../etc/passwd

Would result in: 

 Warning: file_get_contents(): open_basedir restriction in effect. File(../../../../../../etc/passwd) is not within the allowed path(s)

Please do note that remote files can still be accessed, eg:

?x=http://localhost/shell.php
tim
  • 29,018
  • 7
  • 95
  • 119
  • a main downside of this is that that .htaccess can be modified itself it site is hacked, and attacker just deletes that file and can access anything. So, i conclude in Shared Hosting it's not available to have it, unless there is some settings in the hosting panel level. – T.Todua Mar 08 '19 at 09:30