Skip to main content
cPanel Technical Support has been heavily impacted by hurricane Beryl and our ability to respond to tickets has been hindered as a result. We appreciate your understanding and patience as we address these delays.

How can i disable php scripts to access files outside of domain root

Comments

4 comments

  • quietFinn
    It's probably a "shell backdoor", " A backdoor shell is a malicious piece of code (e.g. PHP, Python, Ruby) that can be uploaded to a site to gain access to files stored on that site. Once it is uploaded, the hacker can use it to edit, delete, or download any files on the site, or upload their own. "
    0
  • cPRex Jurassic Moderator
    And in general, cPanel servers can't access files outside of their own home directory unless there are serious permissions issues on the machine.
    0
  • kssuhesh
    I think this is one of the disadvantages of using add-on accounts. Even though the add-on is a separate domain, the username, and permissions are the same for both main and addon domains. So normally the hacker has access to addon domains as well. Like main domain /home/user/public_html and addon domain /home/user/addondomain/, both are accessible by the same user. Since Wordpress is the most commonly used CMS, the chances of getting hacked are high, so a better option is secure the site, keep monitoring and update it to the latest version to avoid getting hacked.
    0
  • sparek-3
    Is it possible to block scripts of website to access files outside of the root folder?

    You can't. That's the nature of an addon domain. While an addon domain may have a separate DocumentRoot from a primary domain name - it's all still owned by the same Linux server username. Anything that runs as that Linux server username can read/write anything else that is owned by that Linux server username.
    I think this is one of the disadvantages of using add-on accounts. Even though the add-on is a separate domain, the username, and permissions are the same for both main and addon domains. So normally the hacker has access to addon domains as well. Like main domain /home/user/public_html and addon domain /home/user/addondomain/, both are accessible by the same user.

    Well... that's the cost of doing business as an addon domain. If Bob has the primary website and Bob decides he wants another website without paying for another hosting account, then Bob can create an addon domain. Bob is expected to be the caretaker of both the primary website and the addon website. It is Bob's responsibility to keep both websites up-to-date and secure. However, if the scenario is that Bob has the primary website and Joe comes along and wants a website but doesn't want to pay for a hosting account and asks Bob to set up an addon domain. If Bob is relying on Joe to keep his website up-to-date and secure, then Bob's website is at the mercy of Joe's website upkeeping. That's really not the intent of addon domains.
    0

Please sign in to leave a comment.