I’ve found out the hard way that my website can be hacked by passing

Question

0

Asked: May 15, 20262026-05-15T00:35:14+00:00 2026-05-15T00:35:14+00:00

I’ve found out the hard way that my website can be hacked by passing

0

I’ve found out the hard way that my website can be hacked by passing a query string parameter that has many ../s to access files outside of the website directory, and then hack the website.

Is there a way, perhaps through the php.ini, to not allow file includes outside of a certain root directory?

To make things worse, most of what is running on the server is not my code. The website runs on the CMS Joomla! and the exploit was done through a purchased plugin.

I cannot change the scripts, if it has to come to that, I’ll just uninstall the affected plugins.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-15T00:35:15+00:00

Yes, PHP has a configuration parameter called open_basedir exactly for that purpose.
(don’t forget to add to it at least session_save_path directory)

But! You have to check every passed parameter anyway!

if it’s supposed to be just a filename, truncate it using basename() function.
if it’s supposed to be a directory, you can check it with such a code

$basedir = "/your/app/path/";
$realdir = realpath($basedir.$filename); //$filename is the parameter we checking

if (substr($realdir,0,strlen($basedir)) !== $basedir) {
  header ("HTTP/1.0 403 Forbidden"); 
  exit; 
}

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’ve found out the hard way that my website can be hacked by passing

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply