I have a concern of a vulnerability of one site providing access to others.
I have a few small local community sites using 1and1 as my provider. As I was adding a new site I pick up on something that makes me a bit uncomfortable. I was setting up the backup-migrate and when setting the default backup location I used ../backup. As before this worked but then I realized that php from one domain access could access another domain's folder. Below is similar to my folder configuration.
~/websites/domain1 <- www.domain1.com
~/websites/domain2 <- www.domain2.com
~/websites/domain3 <- www.domain3.com
This is over simplified but it would appear that php running under domain1 can reach the parent directory and I would presume it could reach any of the directories I have access to.
Assuming the above is true then all someone would have to do is to find a vulnerability (or a rogue developer) where they could inject their own php code and gain access to all that I have access to.
If what I have proposed is true then what precautions can I take. If this is not possible please point out the flaw in my logic.
Thanks.
Jon
