Tenant Isolation & Impersonation Test

LiteSpeed / LSPHP / CloudLinux isolation & impersonation probe
SAPI litespeed PHP 7.4.33 Host quantsite.199-247-3-113.myboltip.com Tenant quantsite1992473113 User quantsite1992473113 DOC_ROOT /home/quantsite1992473113/quantsite.199-247-3-113.myboltip.com/public_html
0
Checks
0
Pass
0
Fail
0
Info
0
N/A
Plant /tmp secret Plant into /home/bobi/tmp Clean phpinfo()

1) open_basedir

CheckValueResultNote
open_basedir/home/quantsite1992473113/:/usr/share/PASSrestriction set
read /etc/passwddeniedPASSblocked
list /etcdeniedPASSblocked
list / (root)deniedPASSblocked
list /home (tenant enumeration)deniedPASSblocked
read /etc/shadowdeniedPASSblocked (DAC/basedir)

2) /tmp cross-tenant leak

CheckValueResultNote
this tenant tmp file/tmp/pentest_public_html_f61fc70626bffbf0a48a37e46c3a0629.txtPASSnot planted yet
other tenants /tmp markersnonePASSno foreign pentest_* visible
/tmp/sess_* leaknonePASSno foreign sess_* readable
/tmp/mysql.sock exists?noPASSnot present
/tmp/.s.PGSQL.5432 exists?noPASSnot present
/var/lib/mysql/mysql.sock exists?noPASSnot present

3) suEXEC / process identity

CheckValueResultNote
PHP process userquantsite1992473113 (uid=? gid=? real_uid=?)PASSlooks per-user
Process groupsPASSmust NOT be in "apache" group (would allow reading other FPM sockets)
Expected owner from DOC_ROOTquantsite1992473113PASSmatches
Newly-written file owner2002 (uid=2002)INFOowner could not be resolved to verify against the runtime user

4) Cross-tenant impersonation (target: bobi)

ProbeResultStatusNote
stat /home/bobideniedPASSblocked
list /home/bobideniedPASSblocked
list /home/bobi/public_htmldeniedPASSblocked
read /home/bobi/.bashrcdeniedPASSblocked
read /home/bobi/.bash_historydeniedPASSblocked
read /home/bobi/.ssh/authorized_keysdeniedPASSblocked
read /home/bobi/.ssh/id_rsadeniedPASSblocked
list /home/bobi/tmp/sessionsdeniedPASSblocked
write to /home/bobi/tmp/deniedPASSblocked
common config files (wp-config/.env/etc.)none readablePASSblocked

5) open_basedir bypass tricks

TrickResultStatusNote
symlink to /etc/passwdblockedPASSblocked
symlink /tmp -> /home/bobi/.bashrcblockedPASSblocked
glob:// /etc/*blockedPASSblocked
glob:// /root/*blockedPASSblocked
phar:// write testn/aN/Aself-target — not a cross-tenant probe
chdir + ../ escapeblockedPASSblocked
realpath() outside basedirnullPASSblocked

6) disable_functions & command execution

FunctionStateStatusNote
execdisabledPASS
shell_execdisabledPASS
systemdisabledPASS
passthrudisabledPASS
proc_opendisabledPASS
popendisabledPASS
pcntl_execdisabledPASS
mailENABLEDPASS
imap_opendisabledPASS
dldisabledPASS
putenvENABLEDPASS
posix_killdisabledPASS
posix_setuiddisabledPASS
posix_seteuiddisabledPASS
actual `id` output(no exec function produced output)PASSall exec attempts blocked

7) /proc enumeration

CheckValueStatusNote
list /procdeniedPASSblocked
read /proc/self/statusdeniedPASSblocked
read /proc/<PID>/environ or cmdline of other PIDsnonePASSblocked

8) Privilege escalation / FPM socket impersonation

ProbeResultStatusNote
posix_setuid(0)disabledPASSexpected to fail
posix_seteuid(0)disabledPASSexpected to fail
list /run *.sockdenied/nonePASSblocked
connect to foreign FPM socketn/aN/Anothing foreign to test against

9) Network / lateral movement

TargetResultStatusNote
MySQL :3306OPEN — Z.5.5.5-10.11.18-MariaDB.<Ap3J\o;.u]Rar;l1Nrri.mysql_native_passwordINFOlistening on localhost (normal) — auth checked below
PostgreSQL :5432closed (Connection refused)PASSnot reachable
Redis :6379closed (Connection refused)PASSnot reachable
Memcached :11211closed (Connection refused)PASSnot reachable
Elasticsearch :9200closed (Connection refused)PASSnot reachable
MongoDB :27017closed (Connection refused)PASSnot reachable
MySQL default credentialsdefault credentials rejectedPASSrejected/unavailable
metadata root (169.254.169.254)REACHABLE: instance-id instance-v2-id mac local-ipv4 public-ipv4 network_config/content_path hostnameINFOlink-local metadata answers from PHP — an SSRF target; instance IDs/IPs are not secret by themselves
metadata: AWS IAM credentialsnot present / emptyPASSno data at this endpoint
metadata: AWS user-datanot present / emptyPASSno data at this endpoint
metadata: user-data (v1)not present / emptyPASSno data at this endpoint
metadata: full config v1.jsonreadable (1483B): {"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ipINFOendpoint readable but no obvious secret pattern — review manually
GCP metadataunreachable / blockedPASSnot reachable
outbound egress (1.1.1.1:53)OPEN — outbound allowedINFOnormal for hosting; only a concern if you want strict egress filtering

10) Shared memory / cache poisoning

CheckValueStatusNote
APCu user cachestatus: not enabledPASSnot shared
OPcache statusopcache_get_status unavailable (0 cached scripts)PASSno foreign scripts / API restricted
IPC ext: shmoploadedINFOcapability only — a risk only if foreign segments are attachable (see below)
IPC ext: sysvshmnot loadedPASSnot available
IPC ext: sysvsemnot loadedPASSnot available
IPC ext: sysvmsgnot loadedPASSnot available
foreign SysV shm segments (shmop)none accessiblePASSblocked — cannot attach to foreign segments

11) Environment & config disclosure

CheckValueStatusNote
secrets in $_ENV / getenv()none matchedPASSno secret-like env vars
php.ini loaded from/opt/alt/php74/etc/php.iniINFOinformational
scanned .ini files/opt/alt/php74/link/conf/bcmath.ini, /opt/alt/php74/link/conf/clos_ssa.ini, /opt/alt/php74/link/conf/default.ini, /opt/alt/php74/link/conf/dom.ini, /opt/alt/php74/link/conf/fileinfo.ini, /opt/alt/php74/link/conf/gd.ini, /opt/alt/php74/link/conf/intl.ini, /opt/alt/php74/link/conf/ioncube_loader.ini, /opt/alt/php74/link/conf/json.ini, /opt/alt/php74/link/conf/mbstring.ini, /opt/alt/php74/link/conf/memcached.ini, /opt/alt/php74/link/conf/mysqli.ini, /opt/alt/php74/link/conf/pdo.ini, /opt/alt/php74/link/conf/pdo_mysql.ini, /opt/alt/php74/link/conf/pdo_sqlite.ini, /opt/alt/php74/link/conf/phar.ini, /opt/alt/php74/link/conf/xmlreader.ini, /opt/alt/php74/link/conf/xmlwriter.ini, /opt/alt/php74/link/conf/xsl.ini, /opt/alt/php74/link/conf/zip.ini, /opt/alt/php74/link/conf/zz-php.ini INFOinformational
.user.ini override writableyes (.user.ini)INFOwriting .user.ini in your own docroot is by design — not a cross-tenant issue
session.save_path/home/quantsite1992473113/tmp/sessionsINFOprivate per-tenant store inside your own home — correct
foreign session files readablenonePASSblocked
phpinfo() dumpcallableINFOnormal — just do not expose ?action=phpinfo publicly

12) CageFS / CloudLinux virtualization & limits

CheckValueStatusNote
mount table (/proc/self/mountinfo)not readablePASSmasked — cannot see host mounts (good, CageFS-style virtualization)
/proc/mounts readabledeniedPASSblocked
/proc hidepid (visible PIDs)0PASShidepid effective
/proc/self/cgroup (LVE)deniedINFOinformational
system user enumerationposix uid1000+: nonePASSonly own account visible
umask0022INFOstandard default (0022 → 0644); file mode only matters if filesystem isolation is absent
created-file permissions0644INFOmode is world-readable, but open_basedir/CageFS block cross-tenant reads (see §1–4) — not exploitable here
tempnam() location/home/quantsite1992473113/tmp/pt_TIL7AhINFOinformational — check predictability
/var/spool/cron accessdeniedPASSblocked
read /usr/local/apache/conf/httpd.confdeniedPASSblocked
read /etc/httpd/conf/httpd.confdeniedPASSblocked
read /etc/apache2/apache2.confdeniedPASSblocked
read /usr/local/lsws/conf/httpd_config.confdeniedPASSblocked
read /etc/nginx/nginx.confdeniedPASSblocked
resource limitsmemory_limit=256M max_execution_time=20 upload_max_filesize=64M post_max_size=64M max_input_vars=3000INFOinformational
LVE / lsapi hooksno LVE hooks visibleINFOinformational

raw php config

SettingValue
open_basedir/home/quantsite1992473113/:/usr/share/
disable_functionspcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,exec,passthru,shell_exec,system,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,popen,dl,show_source,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
upload_tmp_dir/home/quantsite1992473113/tmp
sys_temp_dir/home/quantsite1992473113/tmp
session.save_path/home/quantsite1992473113/tmp/sessions
sendmail_path/usr/sbin/sendmail -t -i

loaded php extensions

49 extension(s) loaded, 1 Zend extension(s).

bcmath                  gd                      mysqli                  SPL
bz2                     gettext                 openssl                 sqlite3
calendar                gmp                     pcntl                   standard
clos_ssa                hash                    pcre                    tokenizer
Core                    iconv                   PDO                     xml
ctype                   igbinary                pdo_mysql               xmlreader
curl                    intl                    pdo_sqlite              xmlwriter
date                    ionCube Loader          Phar                    xsl
dom                     json                    readline                zip
exif                    libxml                  Reflection              zlib
fileinfo                litespeed               session
filter                  mbstring                shmop
ftp                     memcached               SimpleXML

Zend extensions: the ionCube PHP Loader + ionCube24

Tip: deploy this same file to /home/bobi/... and visit both vhosts. Use ?action=plant on tenant A, then visit tenant B with ?other=quantsite1992473113 — section 4 should show all PASS.