[eluser]Randy Casburn[/eluser]
@mvdg27 -- I would be fearful of some very simple PHP functons. Such as glob(). Under the configuration as you've described, any user with any CMS account can glob() any other users files, can then readdir(), can fopen(), those files, change the contents, when they are executed who knows what would happen, etc.
Have I misunderstood what you've said?
Quote:As some people pointed out to me: you can restrict the open_basedir for each client account, but in the end the CMS account can access any account, and therefore creates a security leak.
AND
- different clients will be able to access each other’s files, through the disabled basedir restriction on the CMS account.
Randy
