leeming Posted September 7, 2007 Share Posted September 7, 2007 I thought i would get this problem sooner or later, which is my host blocking access to other accounts. Such as, "/home/{user1}/www/file.php" trying include "/home/{user2}/www/file2.php". Both accounts are owned by me, and under a reseller so i thought that "owner" setting for CHMOD was for this. My question is, since i can not do this no more, is how can i still access this file from another user's area? would ftp do this, or would that just return the source in a string? My other idea was to run all the other accounts as addon domains. But this removes the option of having a cPanel for the users. The file which is included is a set of classes/functions, and is used by a few users (not just my accounts, but still under my reseller), so i am not really able to distribute this file for all the accounts to host them selves. Any ideas how i could do it, or extend on what ive suggested? Any help is welcomed Thank you Quote Link to comment https://forums.phpfreaks.com/topic/68397-cross-scripting-different-users-on-server/ Share on other sites More sharing options...
davidz Posted September 7, 2007 Share Posted September 7, 2007 Maybe this? http://us3.php.net/manual/en/function.include.php Look at example 16.7. Beware security problems... Quote Link to comment https://forums.phpfreaks.com/topic/68397-cross-scripting-different-users-on-server/#findComment-343878 Share on other sites More sharing options...
leeming Posted September 7, 2007 Author Share Posted September 7, 2007 Maybe this? http://us3.php.net/manual/en/function.include.php Look at example 16.7. Beware security problems... I think require/include could call an external script's code, since it will be compiled before sent to me? (because of the http request, instead of a full server path).** Any way my host has also disabled that also. But maybe i could fiddle around with ini_set() later. Edit: ** Ah yes, i reread the example, so i could add some random extension instead of php, and it would be included like any other text. I see where you are coming from with the security problem. Maybe if i set up a gateway type file to include which you need a password to get via, //to call include("http://site.com/dir/gateway.php?user=leeming&&password=123456"); //in gateway.php on other account if($_GET['password'] == $correct) { include("path/to/file.weird"); } else { //log some kinda of security alert? } edit 2: ah yes, but this still shows the source, defeats the purpose of not distributing it. Quote Link to comment https://forums.phpfreaks.com/topic/68397-cross-scripting-different-users-on-server/#findComment-343897 Share on other sites More sharing options...
leeming Posted September 7, 2007 Author Share Posted September 7, 2007 One thing holding me back from doing the addon domain way, is that users will not be able to use the cPanel. Not too bad as most of it is just shortcuts and easy steps for users (.htaccess shorcuts etc). But the other things such as creating mail accounts i have found in custom php classes. But... This is the thing which holds me back the most. I can not find any classes or a way of controlling the cron tabs. Does any one know if this is possible from outside of cPanel? I know how i could use a work around for regular tasks, such as per minute|hour|day|week|month, but nothing which allows custom cron tabs such as: 1pm, on 20th of month. davidz's idea sounded really good untill i saw the security flaw. I am unsure if any file or ftp functions can be worked in such a way to 'extract' these files and execute but not store. Quote Link to comment https://forums.phpfreaks.com/topic/68397-cross-scripting-different-users-on-server/#findComment-344046 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.