disabling show_source()

Anon

I have a machine hosting a number of clients. I can run show_source() on one user and view files that belong to another user, this is very bad and a HUGE security hole.

The user just has to find out the directory names and they can access everything, mysql passwords, httpdaccess stuff, the whole nine yards.

So I have scrambled the directory names, but i need a better solution. Is it possible to disable show_source()?

mattw

That is a valid concern. I would say, put safe mode on...but I don't think that show_source is covered by safe mode. The only suggestion I have is to put it into the list of disabled functions. Then, if your clients need to show source, follow the suggestion for an alternative way to show source in this comment in the manual:

http://www.php.net/manual/en/function.highlight-file.php

Matt Wade
codewalkers.com

mattw

Ohh..forgot to tell you how to disable it 🙂

disable_functions = show_source

in you php.ini

Matt Wade
codewalkers.com

[deleted]

Ofcourse simply disabling show_source() is not a solution because PHP can also do include() require(), fopen, exec, system, passthru, fpassthru and backticks to open files. Disabling all those means you might aswell chuck PHP in the bin.

One safe method is to setup a seperate webserver environment for each client; one hardware-server running many copies of the webserver software, each under it's own userid. Then you can give ownership of the PHP files to the webserver's userid, and make the files read/write for the client and his apache-user, but unreadable for the other clients and their apache-users.