How to prevent PHP from crawling into directories above the level?

L

lightalex2017-09-22 22:51:52

PHP

lightalex, 2017-09-22 22:51:52

Hello
There was a task - to put WordPress in the blog directory ( site.com/blog )
But there was a sad experience when, through the WP hole, they infected the entire hosting with a virus simply by climbing up the directory (it was a test hosting, so I didn’t bother much with allocating a directory for the site on WP)
But this time it will not work to put WP as a separate site and it will stand in close proximity to the main site
. Therefore, I want to isolate the directory with WP, so that even if WP is broken, the files of the main site are not affected
Question - how to prevent PHP from climbing the directory above ? How to prevent everything that runs in the blog directory from exiting that directory?
Maybe htaccess will help? Or maybe there is a simpler solution for the problem as a whole?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

D

Dmitry Dart, 2017-09-23
@gobananas

There is a fairly simple way through the control panel of sites like VestaCP or ISPManager. A separate user is created, a separate FTP account is created for him, we specify site.com/blog as the root directory and that's it, he has nowhere to go from there and his access scripts.

A

Alexander Aksentiev, 2017-09-22
@Sanasol

php.net/manual/en/ini.core.php#ini.open-basedir

A

a0lwq, 2017-09-23
@a0lwq

chroot
LXC

X

xmoonlight, 2017-09-23
@xmoonlight

Maximum security is possible only if the blog engine is located above the www-directory.
And access to the desired public directory (site.com/blog) is provided from a central point, which is a request router: a php file or .htaccess rules.
And the same thing - for another engine standing nearby.
1. To protect against attacks (incoming GET / POST requests, etc.): read here .
2. To control the launch of shell functions: php-security
3. Runkit Sandbox (to replace standard functions with your own): here