Announcement

Collapse
No announcement yet.

IIS for hosting

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IIS for hosting

    Hi all!

    Well it is like this... I have 3 websites on my server 2003 with IIS6. I have enabled and installed PHP 5.
    Now my problem is, that if someone uploads PHP file browser onto any of 3 websites he is able to browse C:\ directory....
    Has anyone some suggestions how to restrict user with enabled PHP to his folder only?

    Thanks!

  • #2
    Re: IIS for hosting

    Is the 2003 server domain joined? I assume that you need to review the NTFS permissions. What credentials are used when uploading to IIS? Have you had to setup local accounts on the 2003 server?

    Comment


    • #3
      Re: IIS for hosting

      Hi!

      It`s inet server, without domain....
      I have 3rd party FTP server and FTP users that can upload to their folders only...
      But if they upload PHP file browsing script, they can see complete server structure....

      Comment


      • #4
        Re: IIS for hosting

        use ntfs permissions to allow the user (read/write) to his folder and deny permission to other folders

        Comment


        • #5
          Re: IIS for hosting

          Yah I will do exactly this...
          Create a group, deny it all except hosting folder and in this folder set permissions individually...

          Comment


          • #6
            Re: IIS for hosting

            I came it across once, and the solution is actually quite simple; Disable directory browsing in IIS.
            You can find an how to over here: http://blog.crowe.co.nz/archive/2006/03/18/603.aspx
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: IIS for hosting

              Well thanks, but it is not that simple
              PHP can browse all dirs to which running user has priviliges...
              I had this disabled when I started

              Comment


              • #8
                Re: IIS for hosting

                ah sorry, didn't notice the PHP thing.
                You might want to have a look at the httpd.conf file.

                Then check the following part:
                DocumentRoot
                <Directory something >
                Options
                ...
                </Directory>
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: IIS for hosting

                  Umm I have IIS not apache

                  Comment


                  • #10
                    Re: IIS for hosting

                    Do you really need IIS?

                    Anyhow, can you re-check if you don't have enabled directory browsing within IIS. It's usually the setting which causes it.
                    Last edited by Dumber; 23rd May 2012, 16:35.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment

                    Working...
                    X