[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] <PHP Off Topic>
- Subject: Re: [cobalt-users] <PHP Off Topic>
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Tue Jun 19 09:56:30 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"Jim Carey" <ozbcoz@xxxxxxxxxxxxxxxx> wrote:
> Had the same thing - using PHPNuke and had a module in there that could be
> passed a file name and it would display that file. No checks to see if the
> file name was below document root. A kind gentleman in Russia send me a
> display of my /etc/passwd file that he had sourced from this module :-)
Well, /etc/passwd is chmod 644 by default - thus it is world-readable. To
be fair, anyone with shell access can read it too and other programming
languages can be used to read it, not just PHP. The file to worry about is
/etc/shadow. It contains the encrypted passwords and is chmod 400 (only
owner-readable) by default. PHP runs as the same user Apache does (usually
a non-privileged user like httpd, nobody, apache, etc.) so Apache, SSI, PHP,
CGI, Perl. etc. can access any file that's world-readable.
> I have since closed that hole !!
As I'm sure you know, the hole is not within PHP. The hole is within the
PHP application (PHPNuke) that allowed users to view any world-readable file
on the server that the user knew the path to and didn't restrict them to a
particular directory like the application was probably intended to do. BTW,
the real holes appear when you run CGIs as user 'root'. Then you have to be
especially careful that your code checks for unexpected user input and
handles it properly or you could find that your users are able to run any
command and view any file on the server.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/