I have some security concerns about my IIS websites.
From PHP-files (FastCGI) on our server the scripts are able to read my system's root directory (c:\
), but even list the content of c:\windows
. What is more troublesome that I can even create directories in the root like this: mkdir('c:\asdasd');
, and it works without any problems; I can even read the other websites' directories (so actually maybe I could map the whole system's directory tree from a PHP script). I think that's a huge security problem. Noone should be able to read or write c:\
, or other hosted website's content.
I know there's the open_basedir directive in PHP, but I think setting this directive doesn't solve the problem as I could also use any other server languages to access the same mentioned directories.
The directory tree of my websites look like this:
c:\net\web\php\
|- website1
|- other
|- htdocs
|- website2
|- other
|- htdocs
|- website3
|- other
|- htdocs
|- ...
The websites' source files are in the htdocs
directory, so this is the "root" directory of these websites.
I just want to enable read/write permissions to the first parent directory of the website, like for example c:\net\web\php\website1
(so e.g. "c:\net\web\php\website1\other
" could be written, but c:\net\web\php\
should not be).
How can I restrict the access this way?
Thanks!
Run the programs concerned under a very restricted account - one that does not have write or execute permissions outside your web content location.