We have a server with our forum on it. We offer webspace for some of our members if they want to make a site. This is raw webspace, php is allowed, etc., although they only have access to their folder (oursite.com/whatever).

My question is, since this is all on the same server, wouldn't it be possible for someone to write a php script to grab the contents of the vB config file, which would give them the database username/password? Then they could access the database directly?

Am I forgetting about something in vB that secures it from this? If not, is there something I can do to protect it? I have cpanel access, not total control over the server, and I don't want to disable php for everyone anyway. Is there anything else I should know?

They could access your details, so what you're doing is rather unsecure.
Web host set up different users that only have access to specific directories, but it seems you can't set up those, as you don't have enough access.

Possibly you can switch your account to a 'reseller' account, which should work better for your situation.

Thanks. I'm friends with the person who owns the server, so we could maybe work something out, or maybe just get a separate domain name for the user sites (then use "addon domain" in cpanel). That would treat it as a separate account, so it should be secure, yes?

It would still be on the same server and account (oursite.com/usersites/whatever) but it would appear as (newdomain.com/whatever).

I don't think a new domain would be enough to be honest.

Really? I'm pretty sure it's treated as a whole separate account, despite being an addon domain. So if they did something like "../../forum" to get to our forum, it would be on the other domain and wouldn't find anything.

But with addons domains in cPanel you can usually also call up the files using http://www.maindomain.com/addondomainfolder/ as far as I know.

Also, the server doesn't really care what domain a file is on, it cares what user has access to the file in the filesystem, and with an addon domain that would be the same user.

But with addons domains in cPanel you can usually also call up the files using http://www.maindomain.com/addondomainfolder/ as far as I know.
Yes, but you can't read the php code that way--the script would run and return them the html code (i.e. with all the php code stripped away, including sensitive info). I've actually had problems because of this, I gave people scripts with some code that used php "include" with the global url, but when the include page was inserted, it was just html, so it didn't work. I had to change it around to use include "../../something/whatever.php" (local instead of global) for it to work. Doing this on an addon domain would return only files on the addon domain.


Also, the server doesn't really care what domain a file is on, it cares what user has access to the file in the filesystem, and with an addon domain that would be the same user.
I would still be giving users access to their folder only, on the addon domain. They wouldn't be able to directly access anything else, the only issue is running a script that could do it, but as I explained above, I don't think it would work.

Obviously I could be wrong about this stuff, that's why I'm asking, but I'm pretty sure that's how it all works. I'm no hacker though, so I don't know all the ways to break in. I guess I should talk to my server guy. Thanks for discussing this with me. :)

Doing this on an addon domain would return only files on the addon domain.

In my opinion you're wrong about that part. But anyhow, I'm not a server guru either, talk with your server guy, he should be able to tell you for sure.