Author Topic: Access to root folders  (Read 6654 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Access to root folders
« on: November 23, 2020, 08:24:22 PM »
Any website hosted on VPS
Can access root folders
is there a solution

كن في الحياه كعابر سبيل واترك وراءك كل اثر جميل فما نحن في الدنيا الا ضيوف وما على الضيوف الا الرحيل

Offline
*****
Re: Access to root folders
« Reply #1 on: November 24, 2020, 11:01:16 AM »
Hi

Can you give us more details, in which module does this happen?

Offline
*
Re: Access to root folders
« Reply #2 on: November 24, 2020, 11:40:20 AM »
Hi josemnunez thank you for your reply
This happens in WordPress
By Plugin WP File Manager
details
Apache version: Apache/2.4.39
PHP version: 7.4.11 PHP-FPM is forced
MySQL version: 10.1.48-MariaDB
FTP version: 1.0.47
Web Servers: nginx-varnish-apache
Kernel Version: 3.10.0-1160.2.2.el7.x86_64



كن في الحياه كعابر سبيل واترك وراءك كل اثر جميل فما نحن في الدنيا الا ضيوف وما على الضيوف الا الرحيل

Offline
*
Re: Access to root folders
« Reply #3 on: November 27, 2020, 05:51:08 PM »
I want to hide all these folders from the hosting subscribers Is there a solution?
كن في الحياه كعابر سبيل واترك وراءك كل اثر جميل فما نحن في الدنيا الا ضيوف وما على الضيوف الا الرحيل

Offline
*
Re: Access to root folders
« Reply #4 on: November 27, 2020, 07:05:28 PM »
We have tested this on client servers and we don't get access to all that root, just the one in the user's account.

Maybe you should open a one-time support ticket to the CWP team to check your server. Maybe this is a misconfiguration of the server itself.
Partner de CWP

Hosting de calidad en Espaņa con soporte en Espaņol para CWP - https://www.coriaweb.hosting

Offline
*
Re: Access to root folders
« Reply #5 on: November 28, 2020, 11:44:23 PM »
I tried it on another server and the same problem, please watch the video and try

https://www.youtube.com/embed/1psCVRhJIeo
كن في الحياه كعابر سبيل واترك وراءك كل اثر جميل فما نحن في الدنيا الا ضيوف وما على الضيوف الا الرحيل

Offline
*
Re: Access to root folders
« Reply #6 on: November 29, 2020, 07:38:02 AM »
We have tested this on client servers and we don't get access to all that root, just the one in the user's account.

Maybe you should open a one-time support ticket to the CWP team to check your server. Maybe this is a misconfiguration of the server itself.

Hello,

First of all, I recommend the owner not to use such file manager plugins. Because with this type of add-ons; If a plugin, theme or special software is a security problem, they install malicious software on the server using this type of wp-file-manager plug-ins.

But I have an opinion like this;

Does this WP-FILE-MANAGER plugin work with shell logic? With Cloudlinux, if the necessary precautions are not taken on servers that do not install CageFS, you can access the root directory with shell files, although access is limited due to read and write permissions, it is a sufficient reason to cause damage.

The fact that I have ROOT access via PHP at the moment has not brought a different thought to my mind.

Re: Access to root folders
« Reply #7 on: November 29, 2020, 11:46:55 AM »
Looks to me like it's an amateur hoster misconfiguration, leaving backdoors wide open.  :-\
Most should know that Wordpress is a hacker's fest.

php.ini
Code: [Select]
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_openPlus jailkit.
Then tell lusers to stop installing risky plugins to WP.
Sorted.

You could also try
Code: [Select]
open_basedir = ~/But the implementation of this varies.
« Last Edit: November 29, 2020, 12:01:39 PM by cynique »

Offline
*****
Re: Access to root folders
« Reply #8 on: November 29, 2020, 01:49:02 PM »
this is not any serious type of security risk , it seems you can't edit other user files you need to configure openbasedir to prevent it to list view files/folders.
http://wiki.centos-webpanel.com/php-open_basedir
« Last Edit: November 29, 2020, 02:17:36 PM by Sandeep »

Offline
*
Re: Access to root folders
« Reply #9 on: November 29, 2020, 08:52:35 PM »
by using cwp secure kernel you would have much higher security limiting the access to user needed files only.
http://wiki.centos-webpanel.com/cwp-secure-centos-kernel
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: Access to root folders
« Reply #10 on: November 30, 2020, 12:57:41 PM »
Thank you very much to everyone who contributed and provided solutions.
The problem was resolved by Sandeep reply
Solve the problem here
http://wiki.centos-webpanel.com/php-open_basedir
Thanks Sandee
كن في الحياه كعابر سبيل واترك وراءك كل اثر جميل فما نحن في الدنيا الا ضيوف وما على الضيوف الا الرحيل