Running on production, you should really be using something like:
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
in your php.ini
file. Allowing things like system or exec represents a real security flaw.
You also want to use something like:
php_admin_value open_basedir /var/www/site1.com/
In your Apache vHost conf, to prevent PHP from overstepping its desired boundaries...
As it stands, I could upload a PHP file as user1
to /var/www/site1.com/public_html/attacker.php
, that contains:
<?php
chmod("/var/www/site2.com", 777);
?>
Then, open up my browser and navigate to http://site1.com/attacker.php
. Apache would pass this off to PHP quite happily, run it, and as Apache owns /var/www/site2.com
is quite capable of changing the permissions.
Bam!
user1
can now access /var/www/site2.com/
, as well as anyone else with a user account on that machine. It could then hijack the site, creating new files to host bitcoin mining operations, sell Viagra, etc., etc.
Note: Even if you trust your users not to do anything malicious, there's no guarantee that a third party can't gain access to their account and do something like this. Best way to deal with it is to contain a compromised account, so it can't do too much damage to the system at large.
For more info, check out: