Partner and Community Forums
PHP security issue
Last post Feb 04, 2013 12:59 PM by Klaas de Vries
Feb 01, 2013 07:06 AM|Klaas de Vries|LINK
Hope this is the correct forum for my question.
I have installed PHP on a IIS7.5 Windows 2008R2 server shared hosting server. PHP works. But with a simple php script I can browse over the complete server. I can set open_basedir to the users home directory by add add name="PHP via FastCGI" path="*.php"
verb="*" modules="FastCgiModule" scriptProcessor="C:\php54\php-cgi.exe|-d open_basedir=c:\inetpub\wwwroot\userwebsite" resourceType="Unspecified" /> into web.config. But the user can change the web.config so after change this he can again browse over the complete
server. So this is not the way to do this.
Can anyone tell me how I can hold the user in his own website directory?
Feb 01, 2013 10:44 AM|JamieFurr|LINK
It is a good practice to use FastCGI impersonation and limit the user accounts access to the file system using NTFS permissions. You only want to give the user access to read and/or write to the files and directories that it actually needs.
This will keep the user from being able to get to other directories on your server.
Here's a good article that explains in detail how to set this up.
And here is some other good information on securing PHP on IIS in general.
Feb 02, 2013 06:44 AM|Klaas de Vries|LINK
Feb 03, 2013 12:16 PM|JamieFurr|LINK
Typically you would add/create a new user specifically for this purpose and remove that user from the "Users" group. Then you would explicitly assign ony the permissions that user requires to the files and directories for which the user needs access.
You will also need to set this user as the Anonymous User identity in IIS manager. So that the new user is the user that is being impersonated.
Feb 03, 2013 01:42 PM|Klaas de Vries|LINK
Yes I have done all of this. But any authenticated user gets users right as far I can see. On the link you can see the image of the user group. No users are member. Only two groups are default on the member tab.
Feb 03, 2013 03:58 PM|JamieFurr|LINK
The easiest wat may be to deny the anonymous userthat you have created 'Full Control' permisson at the root of C and stop inheriting the deny permission only at their "home" directory level where you want the user to have access. This will ensure that
they are denied permission anywhere above their "home" directory.
Otherwise you could remove some of the default permissions at the root of C, but that may cause other undesireable results.
Feb 04, 2013 12:59 PM|Klaas de Vries|LINK