homepage Welcome to WebmasterWorld Guest from 54.161.240.10
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
subdomain security question
therealgtron




msg:3817938
 5:40 pm on Jan 2, 2009 (gmt 0)

can files inside a subdomain access files outside the subdomain and viceversa?

say we create subdomain.example.com.
it creates example/public_html/subdomain.
so if files in example/public_html/subdomain/* are compromised,
can they affect example/public_html/*?

i remember one of our clients sites had an open source php web app and it injected code in all .php files on their site. so would have putting that app in a subdomain helped keep the rest of their site immune?

thanks in advance for any replies!

 

jdMorgan




msg:3818084
 9:27 pm on Jan 2, 2009 (gmt 0)

The answer depends on the filesystem set-up and an whether you have taken steps to prevent direct HTTP access to the subdomains' directories. For example, you should 301-redirect direct client requests for example.com/subdomain/<anything> to subdomain.example.com/<anything>. You must also configure the server to disallow any filesystem access by any scripts in a child directory of example.com's Web root directory to that root or to any sibling directory below the root. I believe this is done in the config files for the script interpreters, but I could be wrong on that point.

This is really not a very secure set-up, and I'd suggest calling in a security consultant or setting up the multiple subdomains on a host where you can define different virtual servers for each of them -- Generally, that means hosting on a virtual private server or a dedicated server.

"There's cheap, there's secure, and there's easy. Pick any two" -- An anonymous pundit

Jim

therealgtron




msg:3818107
 9:53 pm on Jan 2, 2009 (gmt 0)

thanks, that should get me started. it's on a dedicated server so it shouldn't be to hard to set up.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved