Page 1 of 1
Able to View & Download Other Client Domains Files via a Script
Posted: Tue Jun 06, 2017 10:46 am
by blueberry
Hi, recently, we uploaded a script, and we realized that we are able to view/ download other domains files within the same server. Note that other domains belongs to different accounts. In the URL, if we know the domains, we can access the files and download them.
Not sure if this is a loophole? And is there any ways to tackle this?
We are running on the latest VestaCP on Ubuntu 16.04.
Re: Able to View & Download Other Client Domains Files via a Script
Posted: Tue Jun 13, 2017 8:29 am
by tjebbeke
Which web template are u using?
It looks like the open_basedir is not set properly in your template.
Re: Able to View & Download Other Client Domains Files via a Script
Posted: Tue Jun 13, 2017 8:48 am
by blueberry
Thanks for your kind reply.
Multiphp was setup following this guide, and templates from the link.
https://git.scit.ch/rs/VestaCP-MultiPHP
Can u advice how to tackle the open base dir issue?
Re: Able to View & Download Other Client Domains Files via a Script
Posted: Tue Jun 13, 2017 8:57 am
by tjebbeke
Vesta doesn't support 3the party scripts and multiple PHP versions. It is better to ask the author of the multi php selector to take a look at this problem.
Re: Able to View & Download Other Client Domains Files via a Script
Posted: Tue Jun 13, 2017 11:17 am
by ScIT
blueberry wrote:Thanks for your kind reply.
Multiphp was setup following this guide, and templates from the link.
https://git.scit.ch/rs/VestaCP-MultiPHP
Can u advice how to tackle the open base dir issue?
Please check your template file inside of /usr/local/vesta/data/templates/web/apache2/php{version}.tpl, you should there have the following line:
Code: Select all
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
If not, please redownload the template files:
https://git.scit.ch/rs/VestaCP-MultiPHP ... -templates
Re: Able to View & Download Other Client Domains Files via a Script
Posted: Thu Jun 15, 2017 5:05 am
by blueberry
Thanks for all your advice.
I've checked and the open base dir liner is in fact in the TPL files. But still with the File Manger tool, we managed to downloaded other clients/ domains files within the same server.
Any where else we can further check?
Re: Able to View & Download Other Client Domains Files via a Script
Posted: Mon Jun 19, 2017 8:24 am
by ScIT
blueberry wrote:Thanks for all your advice.
I've checked and the open base dir liner is in fact in the TPL files. But still with the File Manger tool, we managed to downloaded other clients/ domains files within the same server.
Any where else we can further check?
Can repoduce the bug on my systems, have opened a ticket to check as soon as I have some time left:
https://git.scit.ch/rs/VestaCP-MultiPHP/issues/4
Re: Able to View & Download Other Client Domains Files via a Script
Posted: Mon Jun 19, 2017 9:17 pm
by skamasle
Try 750 permisions to home or public_html will work if you try access from diferent user.