|
I am hoping that someone might have some insight into an issue that I came across today while working on one of my clients websites that I am building for him. I was setting up a FileManager and Image uploader to be part of CKEditor for the backend updating of his website - - - when I entered var fileRoot = '/'; in the variable for the directory that I want to display for managing the files on his account, the complete file structure of my VPS ROOT displayed and I was able to traverse through all of the directories seeing and being able to access home (all cPanel accounts), root, usr, lib, etc.
Of course I have no intention of using that path for what I am doing - but this to me is a serious risk as anyone who has accounts on my VPS server could potentially use a similar script and have full access to my VPS root (accidentally or on purpose). Is there some setting that I am missing or need to change in my Apache settings to stop this from happening?
I presumed up until today, that only I can access my VPS Root and only access it with SSH using something like WinSCP or Putty - - - and yet low and behold I have been able to access it completely through a simple filemanager script that I wrote and placed in a cPanel account of one of my hosting clients. Does that make sense? The VPS that I have is unmanaged and the company offers no help when it comes to Apache configuration (if that is my issue) or other server software setup.
I have attempted all of the normal security features like making sure Fileprotect is enabled and in "Security Center" I have clicked on "Enable php open_basedir Protection." as well as several others that I have set previously.
|
