I have a Website using Concrete5.
I need to allow the client to access the subpage domain\blocks.
The problem is that if the person with this permissions create a Block and put some code like:
file_get_contents('C:\xampp\htdocs\somefile.php');
He will get the source code the the website.
I am trying to use the suhosin extension to block some functions:
In php.ini
suhosin.executor.func.blacklist = ""
In httpd-xampp.conf
<Directory "C:/xampp/htdocs/blocks">
php_admin_value suhosin.executor.func.blacklist "opendir, file_get_contents, phpinfo"
</Directory>
The problem is that this is not working. Since Concrete5 use a index.php to manage all the url connections.
Basicly when a call to url: www.domain.com/somepage/title; This is just an example, what actually is called is:
C:/xampp/htdocs/index.php/somepage/title
Then concrete5 translate that into the CMS and eventualy calls the block code.
Since the call is to the root of the domain, it has access to all php functions.
I just want to protect the rest of the website.