[cobalt-users] Severe Security Problem Between Sites

[Michael Hoennig <michael@xxxxxxxxxx>]

Hi everybody on the list,

a couple of days ago I asked for the solution of a security problem.
Probably my wording was too complicated because I went too deep into
details. So I´ll try it again, because I can hardly believe that not
even anybody is bothering about this leak.

1. Everybody has Telnet access to ALL sites!

The default setup for sites and users on a RaQ3 allowed all Telnet Users
to VIEW ALL files in ALL sites - not just their own. The more, it even
allows them to WRITE ALL files which are writeable for the httpd - i.e.
where CGI- or PHP-Skripts store data. This is because the httpd needs
"world" rights to the files in the sites. Actually it´s at least not
possible to read the home directory and mail folders of others that way
- but all files which are readable by the httpd, if protected by
.htaccess entries or not. And what especially bothers me is that scripts
are readable (skripts often have to contain passwords) and data files
where scripts write to are even writeable.

This could be solved by adding httpd to all site groups and remove the
world-rights from all site directories and files (chmod -R o-rwx
/home/sites/*). But I am not sure if having the httpd in all the site
groups would raise new security leaks. And of course that breaks the
admin UI of the cobalt.

2. Everybody has access to all sites via PHP!

Even if you fix the first problem with as depicted above, still
everybody who can execute PHP scripts can simply access all files even
of other sites. Because PHP is running as a module (AFAIK much faster
especially on high loads), it uses the rights of the httpd. And the
httpd has the rights to read ALL files in the sites anyway - or no user
could browse these files. And of course httpd has write rights to write
to data files, or NO script could write to these.

I wonder why the PHP module does not at least check if the group of the
file is the same as the group the VirtualHost is assigned too. Or why
Apache is not calling seteuid to the User of a VirtualHost before
calling a script (a script could not reverse that!). The only solutions
seems to be to run PHP via CGIwrap - slower :-(

3. Mail to wrong account

If you setup additional domains within a virtual site (thus VirtualHosts
in httpd), and enable mail for these domains, you may wonder that yet no
mail is addressable for these domains, except to names which are users
on the Cobalt! Having a user "u1" which actually belongs to domain1.tld
and a VirtualHost domain2.tld - a mail to u1@xxxxxxxxxxx would go to u1
of domain1.tld! Imagine, if u1 is something common like "webmaster" or
"michael".

It´s easy to fix, just add the right catch-all rules to the
/etc/virtuserlist. But again, you break the UI-only admin advantage of
the Cobalt.

4. MySQL root password is not set

By default there is no MySQL root passwort set, the admin is not forced
to set one and I´ve not even found a hint to do that. So if you forget,
problably one of your Telnet users will do that ...

Who do you all deal with these problems? Or is all that no problem in
your way of using the Cobalt?

Thanks for reading - and probably for good hints
	Michael

-- 
Boytinstr. 10 - D-22143 Hamburg - Germany ----- http://www.hoennig.de
home:++49 40 67581412 office:++49 40 23646958 mobile:++49 177 3787491
http://www.binational-in.de -- Forum für binationale Paare & Familien
http://www.lug-stormarn.eu.org - Linux User Group Stormarn / Holstein