Pretty huge security hole..

**jaquatak** · 01-18-2004, 07:20 PM

open_basedir isn't set, and you can't set it through .htaccess.

If anyone plans on giving a friend a subdomain or something, they have access to all of their files.

**Tim** · 01-18-2004, 07:23 PM

If you create an FTP account for your friend, I believe they would have access to only that directory.

Tim

**jaquatak** · 01-18-2004, 07:26 PM

PHP functions like opendir and fopen can be used.

**jason** · 01-18-2004, 09:49 PM

If you need to restrict access like that, contact support and have them disable it in the <VirtualHost> directive of the Apache conf for your site. Personally, if it was enabled globablly on my server, it would break my site, as I store many parts of my site (and my subdomains) outside of public_html for security purposes. Having open_basedir unset isn't a "huge security hole" for the average user--its actually much more secure to not have it set for sites such as my own.

--Jason

**Vin DSL** · 01-19-2004, 03:55 AM

Originally posted by jason
Personally, if it was enabled globablly on my server, it would break my site...

OMG! Can you imagine, no GD, no fonts, no nothing...

**jaquatak** · 01-19-2004, 04:15 PM

Having open_basedir unset isn't a "huge security hole" for the average user--its actually much more secure to not have it set for sites such as my own.

Pardon my terrible wording.

If you need to restrict access like that, contact support and have them disable it in the <VirtualHost> directive of the Apache conf for your site.

Um, where would I find this?

**jason** · 01-19-2004, 08:42 PM

Originally posted by jaquatak
Um, where would I find this?

Support will need to set it up for you in for each of the subdomains you wish to restrict. Just open a support ticket and explain what you want to do and they should be able to do it without a problem. Its not something you'll be able to set up on your own.

--Jason

**jaquatak** · 01-20-2004, 04:01 PM

I assume you open a ticket somewhere in here:

https://secure.jaguarpc.com/jaguarpc/clients/

It won't let me log in there.

**Connie** · 01-20-2004, 04:32 PM

Originally posted by jaquatak
I assume you open a ticket somewhere in here:

https://secure.jaguarpc.com/jaguarpc/clients/

It won't let me log in there.

Try this:

http://www.jaguarpc.com/?loc=default

The page your pointing to is an old page. I wouldn't think it would make
a difference. I could sign in from that page but who knows.

**jason** · 01-20-2004, 08:53 PM

Your sign in is probably your full domain name and whatever your original password was when your account was set up, unless you've been here a while, in which case your site's login name and the client section login name may be the same. Some people have reported having to capitalize the first letter of the username as well.

--Jason

**jaquatak** · 01-21-2004, 04:11 PM

Neither work. And just conveniently, I didn't register the account myself, so I don't have the info for the lost pass thing. Ah, well. I'll just have to wait until the guy who registered the account gets on.

By the way, is five months considered a while?

**Vin DSL** · 01-21-2004, 05:19 PM

Heh! This is making less sense all the time...

**jason** · 01-21-2004, 09:24 PM

Originally posted by jaquatak
By the way, is five months considered a while?

I'm not sure when they started using domain names instead of usernames for the client section, but I think it was longer than 5 months ago. When the client section first went on line--I think it was about two years ago--they issued every then current client an account using the same usernames and passwords as we had for our sites. Then suddenly one day they switched to domain names.

--Jason

LinkBack

Thread Tools

Display

Pretty huge security hole..

Bookmarks

Bookmarks

Posting Permissions