Discussion in 'Apache Migration/Compatibility' started by DraCoola, Mar 14, 2009.

  1. DraCoola

    DraCoola Well-Known Member

    Dear All,

    I have setup litespeed enterprise to replace cpanel apache (using suphp at the past).
    With litespeed I choose to use old cpanel httpd.conf and then turning on PHP suEXEC through litespeed web interface on WHM.
    So that must be LSAPI + PHP suEXEC (secured), isn't that right?

    But strangely, when I test to chmod 777 index.php or even chown index.php to nobody:nobody, that index.php is still can access from browser.
    It didn't throw any error 500 as it were on suphp.
    That means : users are still able to sneaking around and penetrated into another user folders through php shell (c99)?

    So my main question is : is that PHP suEXEC with LSAPI = secure?
    Or perhaps I have missed something on my setup?

    Any helps regarding to this question will be very appreciated.
  2. closet geek

    closet geek Well-Known Member

    suPHP and SuExec aren't the same thing. suPHP is a big patch to PHP itself, suExec just allows the lsphp processes to run under the username of the owner instead of "nobody".

    The best way for you to check this is to download the r57/c99 shell yourself and see if you can access files in other VirtualHosts. You shouldn't be able to (I'd hope) but I haven't tested this myself.
  3. DraCoola

    DraCoola Well-Known Member

    I have tested by self with c99.
    It can still do ls and cat command to other VirtualHosts (to find and read config.php).
    This is really great!!!

    What should I do to prevent this?

    Any help/suggest would be useful for humand kinds of shared-hosting security in this planet.
  4. IrPr

    IrPr Well-Known Member
  5. DraCoola

    DraCoola Well-Known Member

    Smells like heaven there...
    Thank you lrPr, I'll check on that thread :)

Share This Page