Able to View & Download Other Client Domains Files via a Script
Able to View & Download Other Client Domains Files via a Script
Hi, recently, we uploaded a script, and we realized that we are able to view/ download other domains files within the same server. Note that other domains belongs to different accounts. In the URL, if we know the domains, we can access the files and download them.
Not sure if this is a loophole? And is there any ways to tackle this?
We are running on the latest VestaCP on Ubuntu 16.04.
Not sure if this is a loophole? And is there any ways to tackle this?
We are running on the latest VestaCP on Ubuntu 16.04.
-
tjebbeke
- Collaborator
- Posts: 783
- Joined: Mon May 11, 2015 8:43 am
- Contact:
- Os: CentOS 6x
- Web: apache + nginx
Re: Able to View & Download Other Client Domains Files via a Script
Which web template are u using?
It looks like the open_basedir is not set properly in your template.
It looks like the open_basedir is not set properly in your template.
Re: Able to View & Download Other Client Domains Files via a Script
Thanks for your kind reply.
Multiphp was setup following this guide, and templates from the link.
https://git.scit.ch/rs/VestaCP-MultiPHP
Can u advice how to tackle the open base dir issue?
Multiphp was setup following this guide, and templates from the link.
https://git.scit.ch/rs/VestaCP-MultiPHP
Can u advice how to tackle the open base dir issue?
-
tjebbeke
- Collaborator
- Posts: 783
- Joined: Mon May 11, 2015 8:43 am
- Contact:
- Os: CentOS 6x
- Web: apache + nginx
Re: Able to View & Download Other Client Domains Files via a Script
Vesta doesn't support 3the party scripts and multiple PHP versions. It is better to ask the author of the multi php selector to take a look at this problem.
Re: Able to View & Download Other Client Domains Files via a Script
Please check your template file inside of /usr/local/vesta/data/templates/web/apache2/php{version}.tpl, you should there have the following line:blueberry wrote:Thanks for your kind reply.
Multiphp was setup following this guide, and templates from the link.
https://git.scit.ch/rs/VestaCP-MultiPHP
Can u advice how to tackle the open base dir issue?
Code: Select all
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
Re: Able to View & Download Other Client Domains Files via a Script
Thanks for all your advice.
I've checked and the open base dir liner is in fact in the TPL files. But still with the File Manger tool, we managed to downloaded other clients/ domains files within the same server.
Any where else we can further check?
I've checked and the open base dir liner is in fact in the TPL files. But still with the File Manger tool, we managed to downloaded other clients/ domains files within the same server.
Any where else we can further check?
Re: Able to View & Download Other Client Domains Files via a Script
Can repoduce the bug on my systems, have opened a ticket to check as soon as I have some time left: https://git.scit.ch/rs/VestaCP-MultiPHP/issues/4blueberry wrote:Thanks for all your advice.
I've checked and the open base dir liner is in fact in the TPL files. But still with the File Manger tool, we managed to downloaded other clients/ domains files within the same server.
Any where else we can further check?
Re: Able to View & Download Other Client Domains Files via a Script
Try 750 permisions to home or public_html will work if you try access from diferent user.