Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

subdomain security question

5:40 pm on Jan 2, 2009 (gmt 0)

Junior Member

5+ Year Member

joined:Dec 5, 2007
posts: 42
votes: 0

can files inside a subdomain access files outside the subdomain and viceversa?

say we create subdomain.example.com.
it creates example/public_html/subdomain.
so if files in example/public_html/subdomain/* are compromised,
can they affect example/public_html/*?

i remember one of our clients sites had an open source php web app and it injected code in all .php files on their site. so would have putting that app in a subdomain helped keep the rest of their site immune?

thanks in advance for any replies!

9:27 pm on Jan 2, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
votes: 0

The answer depends on the filesystem set-up and an whether you have taken steps to prevent direct HTTP access to the subdomains' directories. For example, you should 301-redirect direct client requests for example.com/subdomain/<anything> to subdomain.example.com/<anything>. You must also configure the server to disallow any filesystem access by any scripts in a child directory of example.com's Web root directory to that root or to any sibling directory below the root. I believe this is done in the config files for the script interpreters, but I could be wrong on that point.

This is really not a very secure set-up, and I'd suggest calling in a security consultant or setting up the multiple subdomains on a host where you can define different virtual servers for each of them -- Generally, that means hosting on a virtual private server or a dedicated server.

"There's cheap, there's secure, and there's easy. Pick any two" -- An anonymous pundit


9:53 pm on Jan 2, 2009 (gmt 0)

Junior Member

5+ Year Member

joined:Dec 5, 2007
votes: 0

thanks, that should get me started. it's on a dedicated server so it shouldn't be to hard to set up.