github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-14 18:49:21 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update README.md

Browse source
This commit is contained in:
dpeca 2019-08-20 22:05:57 +02:00 committed by GitHub
commit 943df73720
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -18,7 +18,7 @@ Features
+ `echo "<?php \$login_url='MY-SECRET-URL';" > /usr/local/vesta/web/inc/login_url.php`
+ Literally no one PHP script will be alive before you access that URL, so even if there is some zero-day exploit - hacker will not be able to access it without knowing your secret URL. PHP scripts from VestaCP will be simlpy dead - nothing will interact with someone who don't know your secret-URL.
+ You can see how mechanism was built by looking at:
+ https://github.com/myvesta/vesta/blob/master/src/deb/php/php.ini#L496
+ https://github.com/myvesta/vesta/blob/master/src/deb/for-download/php/php.ini#L496
+ https://github.com/myvesta/vesta/blob/master/web/inc/secure_login.php
+ We disabled dangerous PHP functions in php.ini, so even if customer's CMS was compromised, hacker will not be able to execute shell from PHP.