php exec lists other web-accounts

Question

How can it be, that I can list other web account folders of my provider?

<?php
    exec("ls /home/www/webXXX/html/", $list);
    var_dump($list);

To be precise: The webXXX is NOT one of my accounts!!

Answer 1

Your provider gave you (at least) read privileges over the directory webXXX

If you're not supposed to go there that is a serious security problem.

Probably other provider's clients can see your directory.

Edit:

Just to be more accurate about what I mean with "you".

It's actually the "user" the web server is running as that has those access privileges.

The web server is also configured to allow executing shell commands with php (not all providers allow this).

The conseguence of the above two is that actually you can read (and probably) write in someone else's space.