subdomain security question

Forum Moderators: phranque

Message Too Old, No Replies

subdomain security question

therealgtron

5:40 pm on Jan 2, 2009 (gmt 0)

can files inside a subdomain access files outside the subdomain and viceversa?

say we create subdomain.example.com.
it creates example/public_html/subdomain.
so if files in example/public_html/subdomain/* are compromised,
can they affect example/public_html/*?

i remember one of our clients sites had an open source php web app and it injected code in all .php files on their site. so would have putting that app in a subdomain helped keep the rest of their site immune?

thanks in advance for any replies!

jdMorgan

9:27 pm on Jan 2, 2009 (gmt 0)

The answer depends on the filesystem set-up and an whether you have taken steps to prevent direct HTTP access to the subdomains' directories. For example, you should 301-redirect direct client requests for example.com/subdomain/<anything> to subdomain.example.com/<anything>. You must also configure the server to disallow any filesystem access by any scripts in a child directory of example.com's Web root directory to that root or to any sibling directory below the root. I believe this is done in the config files for the script interpreters, but I could be wrong on that point.

This is really not a very secure set-up, and I'd suggest calling in a security consultant or setting up the multiple subdomains on a host where you can define different virtual servers for each of them -- Generally, that means hosting on a virtual private server or a dedicated server.

"There's cheap, there's secure, and there's easy. Pick any two" -- An anonymous pundit

Jim

therealgtron

9:53 pm on Jan 2, 2009 (gmt 0)

thanks, that should get me started. it's on a dedicated server so it shouldn't be to hard to set up.