homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

subdomain security question

5+ Year Member

Msg#: 3817936 posted 5:40 pm on Jan 2, 2009 (gmt 0)

can files inside a subdomain access files outside the subdomain and viceversa?

say we create subdomain.example.com.
it creates example/public_html/subdomain.
so if files in example/public_html/subdomain/* are compromised,
can they affect example/public_html/*?

i remember one of our clients sites had an open source php web app and it injected code in all .php files on their site. so would have putting that app in a subdomain helped keep the rest of their site immune?

thanks in advance for any replies!



WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 3817936 posted 9:27 pm on Jan 2, 2009 (gmt 0)

The answer depends on the filesystem set-up and an whether you have taken steps to prevent direct HTTP access to the subdomains' directories. For example, you should 301-redirect direct client requests for example.com/subdomain/<anything> to subdomain.example.com/<anything>. You must also configure the server to disallow any filesystem access by any scripts in a child directory of example.com's Web root directory to that root or to any sibling directory below the root. I believe this is done in the config files for the script interpreters, but I could be wrong on that point.

This is really not a very secure set-up, and I'd suggest calling in a security consultant or setting up the multiple subdomains on a host where you can define different virtual servers for each of them -- Generally, that means hosting on a virtual private server or a dedicated server.

"There's cheap, there's secure, and there's easy. Pick any two" -- An anonymous pundit



5+ Year Member

Msg#: 3817936 posted 9:53 pm on Jan 2, 2009 (gmt 0)

thanks, that should get me started. it's on a dedicated server so it shouldn't be to hard to set up.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved