php-security

There are a lot of control panels available. There a serious php security issues that exist in most of those control panels. We have tested it with some major hosting control panels with the default settings and we can see the issues existed on all those control panels.

What is the issue?

The server configuration allows the users to read files outside the document root, which may result in sensitive information leaking out. Like,

  • Reading all system user's information from /etc/password file
  • Reading other virtual user's configuration files, database passwords
  • Reading emails of other users

Why this is affected?

The main reason is the way the hosting control panel configured the PHP handler. Most of them use the Apache HTTPD server as the web server with the handler options CGI, FCGI, and SUPHP. It is impossible to restrict PHP functionality on Apache while using these handlers. You can not use the mod_php flags along with these settings. Even if you limit it to a PHP.INI file, the user still can bypass it by uploading a local php.ini. So the only solution is to harden the php settings on the server level itself.

How can I test it, if my host is affected?

You may create a PHP file with the following on your website and call it. If it shows the system user details from /etc/passwd password file, your data is exposed.

<?php
echo  "<pre>";
echo file_get_contents("/etc/passwd");
echo 'Current script owner: ' . get_current_user()."\n";
echo "</pre>";
?>

So if you see the contents of the password file, you should ask your host to secure the php from accessing other files or else you need to move to a secured hosting control panel.

Is this a serious issue?

Well, some hosts say, you can only read it and you can't make any changes. But that is enough, the malicious user only needs to collect the data like a database user and password from a configuration.php file. So that he can access your database. So if you think this is a serious issue, then it is .

How we solved this issue?

We have the hardened PHP-FPM handler with Nginx, OpenLiteSpeed, and Apache with the proper settings. These settings are configured per virtual domain on the fpm-server level in the Eenos hosting control panel. So even if the user uploads a local php.ini with custom flags it cannot be changed. Eenos hosting control panel restricts the users to access the files only inside the home directory.

The updates for Nginx, PHP-FPM, and OpenLitespeed templates are available with version 0.1.3. We recommend doing an update using the following command,

/usr/local/eenos/bin/eenosupdate

Make sure you are using php-fpm handler as the default handler for your PHP with the following command.

/scripts/setupphp

There may be a workaround available on other control panels using customization or third-party software. So whatever control panel you use make sure your data is secured enough and nobody reads it.

400x400 - twitter -EEE

Eric Stephen

Sr.Software Engineer

Eric is a Senior software Engineer. He is a linux geek and have good knowledge in building custom Linux applications. He is also an expert python programmer.

Eenos is a modern high-performance hosting control panel. You can host your traditional websites and modern Fintech apps with Eenos. You can deploy your Artificial intelligence, Chatbot, and data analytics web apps on Eenos with one click.

Latest Promotions

Need Any Help? Or Looking For Custom Pricing

© Eenos.com . All Rights Reserved.