I have installed PHP on a IIS7.5 Windows 2008R2 server shared hosting server. PHP works. But with a simple php script I can browse over the complete server. I can set open_basedir to the users home directory by add add name="PHP via FastCGI" path="*.php"
verb="*" modules="FastCgiModule" scriptProcessor="C:\php54\php-cgi.exe|-d open_basedir=c:\inetpub\wwwroot\userwebsite" resourceType="Unspecified" /> into web.config. But the user can change the web.config so after change this he can again browse over the complete
server. So this is not the way to do this.
Can anyone tell me how I can hold the user in his own website directory?
It is a good practice to use FastCGI impersonation and limit the user accounts access to the file system using NTFS permissions. You only want to give the user access to read and/or write to the files and directories that it actually needs.
This will keep the user from being able to get to other directories on your server.
Here's a good article that explains in detail how to set this up.
I have done this. But I can still browse over the c:\ drive. I think this can because the local group “Users” has read rights on de c: drive. And somehow other users own this right? The user which I use for the website is not a member off this group. So can
you remove the local group “Users” right completely from the c: drive without any creating any problems? Or is this a other problem?
Typically you would add/create a new user specifically for this purpose and remove that user from the "Users" group. Then you would explicitly assign ony the permissions that user requires to the files and directories for which the user needs access.
You will also need to set this user as the Anonymous User identity in IIS manager. So that the new user is the user that is being impersonated.
Yes I have done all of this. But any authenticated user gets users right as far I can see. On the link you can see the image of the user group. No users are member. Only two groups are default on the member tab.
The easiest wat may be to deny the anonymous userthat you have created 'Full Control' permisson at the root of C and stop inheriting the deny permission only at their "home" directory level where you want the user to have access. This will ensure that
they are denied permission anywhere above their "home" directory.
Otherwise you could remove some of the default permissions at the root of C, but that may cause other undesireable results.
Klaas de Vri...
4 Posts
PHP security issue
Feb 01, 2013 11:06 AM|LINK
Hope this is the correct forum for my question.
I have installed PHP on a IIS7.5 Windows 2008R2 server shared hosting server. PHP works. But with a simple php script I can browse over the complete server. I can set open_basedir to the users home directory by add add name="PHP via FastCGI" path="*.php" verb="*" modules="FastCgiModule" scriptProcessor="C:\php54\php-cgi.exe|-d open_basedir=c:\inetpub\wwwroot\userwebsite" resourceType="Unspecified" /> into web.config. But the user can change the web.config so after change this he can again browse over the complete server. So this is not the way to do this.
Can anyone tell me how I can hold the user in his own website directory?
JamieFurr
539 Posts
Re: PHP security issue
Feb 01, 2013 02:44 PM|LINK
Hi,
It is a good practice to use FastCGI impersonation and limit the user accounts access to the file system using NTFS permissions. You only want to give the user access to read and/or write to the files and directories that it actually needs.
This will keep the user from being able to get to other directories on your server.
Here's a good article that explains in detail how to set this up.
http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/secure-content-in-iis-through-impersonation
And here is some other good information on securing PHP on IIS in general.
http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/secure-your-infrastructure-and-php-applications
MCSA, Network +, A+
Please 'Mark as Answer' if this post helps you.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
Klaas de Vri...
4 Posts
Re: PHP security issue
Feb 02, 2013 10:44 AM|LINK
JamieFurr
539 Posts
Re: PHP security issue
Feb 03, 2013 04:16 PM|LINK
Hi,
Typically you would add/create a new user specifically for this purpose and remove that user from the "Users" group. Then you would explicitly assign ony the permissions that user requires to the files and directories for which the user needs access.
You will also need to set this user as the Anonymous User identity in IIS manager. So that the new user is the user that is being impersonated.
MCSA, Network +, A+
Please 'Mark as Answer' if this post helps you.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
Klaas de Vri...
4 Posts
Re: PHP security issue
Feb 03, 2013 05:42 PM|LINK
Hi Jamie,
Yes I have done all of this. But any authenticated user gets users right as far I can see. On the link you can see the image of the user group. No users are member. Only two groups are default on the member tab.
JamieFurr
539 Posts
Re: PHP security issue
Feb 03, 2013 07:58 PM|LINK
Hi,
The easiest wat may be to deny the anonymous userthat you have created 'Full Control' permisson at the root of C and stop inheriting the deny permission only at their "home" directory level where you want the user to have access. This will ensure that they are denied permission anywhere above their "home" directory.
Otherwise you could remove some of the default permissions at the root of C, but that may cause other undesireable results.
MCSA, Network +, A+
Please 'Mark as Answer' if this post helps you.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
Klaas de Vri...
4 Posts
Re: PHP security issue
Feb 04, 2013 04:59 PM|LINK