PHP websites under LSPHP get HACKED all the time

[solaris2023]

Hello, I have set up accounts on several well-known SHARED hosting platforms for low-traffic installations of well-known PHP-based software packages. I need to keep costs down because I am helping a non-profit organization with very tight budgets, especially in terms of long-term expenses.

On ALL of these shared hosting setups, the applications get HACKED in a matter of days or weeks - pretty much as soon as hackers find out about the website.

I investigated the causes and found THE MAIN CAUSE: LSPHPs on ALL these platform run under the document root owner, effectively giving LSPHP 777 permissions. Ton confirm this, I posted a simple upload PHP script via SSH into PUBLIC_HTML folder and yes, it can upload files ANYWHERE, not only inside UPLOAD folder, but also anywhere inside PUBLIC_HTML and also ABOVE PUBLIC_HTML - into the document root, FTP folder, etc. Everywhere!!

The most shocking part is that LS manual specifies that this is a correct setup by design. So once the hackers inject their code on the website, which LSPHP with its 777 permissions will gladly write anywhere under the document root, the hackers effectively own the entire document root.

The greatest mystery to me is how in the world this became even possible in 2023...

 

[roy]

Running as the docroot owner is normal. PHP sites commonly require write access to the filesystem. Visitors don't have write access, only the PHP scripts do. If your visitors are able to craft HTTP requests to those scripts to upload malicious files anywhere, that isn't LSPHP's fault. Perhaps that code has a known vulnerability, or is doing foolish things like failing to filter filetypes or not authenticating users properly. Maybe it's installed improperly with exposed config files, weak passwords, or something. There are many possible causes, but LSPHP by itself doesn't just grant visitors access to your filesystem like you seem to think it does.