[drupal-support] Multi-site's gaping security hole

Gerhard Killesreiter killesreiter at physik.uni-freiburg.de
Tue Oct 25 12:57:51 UTC 2005



On Tue, 25 Oct 2005, Steve Dondley wrote:

> On a multi-site set up, it's a trivial matter for someone to create a
> node with some PHP code that takes a peak at another site's
> settings.php file.  Example:
>
> <?php
>
> $file = file ( 'sites/example.com/settings.php' );
>
> foreach ($file as $key => $line) {
>  print $line;
>  print "<br />";
> }
>
> ?>
>
> What's the best practice for eliminating this problem?

What I do is to run each user's php process as fast-cgi and only link
their sites subdirectory form the main installation.

Cheers,
	Gerhard



More information about the drupal-support mailing list