[drupal-support] Multi-site's gaping security hole
Gerhard Killesreiter
killesreiter at physik.uni-freiburg.de
Tue Oct 25 12:57:51 UTC 2005
On Tue, 25 Oct 2005, Steve Dondley wrote:
> On a multi-site set up, it's a trivial matter for someone to create a
> node with some PHP code that takes a peak at another site's
> settings.php file. Example:
>
> <?php
>
> $file = file ( 'sites/example.com/settings.php' );
>
> foreach ($file as $key => $line) {
> print $line;
> print "<br />";
> }
>
> ?>
>
> What's the best practice for eliminating this problem?
What I do is to run each user's php process as fast-cgi and only link
their sites subdirectory form the main installation.
Cheers,
Gerhard
More information about the drupal-support
mailing list