Date: 06/13/07 (PHP Community)    Keywords: php, security, web

Windows 2003 server with the latest updates
PHP v5.2.0

I have the following setup:

In...

D:\FTPRoot\Data

there are logons names in there which is linked to their account, i.e. when they log on via FTP, they go straight to their directory, i.e.

D:\FTPRoot\Data\USERNAME

Each directory have the security set to their own account, i.e.

USERNAME (SERVER\USERNAME)

Recently, one of the user did something naughty and wrote an code where they can see someone else's directory and put some ranmdom generated files in there. The code in question is;

&opFile = "./../username1/hello" . & random . ".txt";

Obviously I'm not going to post the full code but this should be a start.

As you can see, the user managed to wrote some files in someone else's directory, even that their security setup doesn't allow it, which I suspect is part of a 'system' account. However under the "D" drive, there is no "SYSTEM" account in there, it has been totally removed. The only thing left are

Administrator
CREATOR OWNERS

and the D:\FTPRoot\Data has the security setup as:

Administrator
CREATOR OWNERS
FTP User Admin (FTP admin acess for webmasters)
IIS_WPG
Internet Guest Account

In php.ini I also have these line:

disable_functions = "phpinfo, passthru, system, popen, escapeshellarg, escapeshellcmd"

But it is not working.

So, what am I missing and how do I stop these pesky user from doing this?

Many thanks

Source: http://community.livejournal.com/php/571097.html