Re: [cobalt-users] [Raq4] Directory Listing Exploit found.

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"Kai" <go@xxxxxxxxxxxx> wrote:
> Today I caught a user of mine exposing my client list to the world via a
PHP
> script that uses the opendir() and explode() function. This is just as bad
> as code red. I know they can't execute anything. But a directory listing
is
> just as bad. They can list every directory. I looked at the webpage and
> brought up a list of my sites in /home/sites.

All of the symbolic links in /home/sites are world-readable.  So anyone with
shell access or any script written in a language which doesn't limit access
to certain directories (or alternately disallow access to certain
directories) will be able to access those files.   This is normal.

> I know what you're thinking. "This has been addressed i the archives. You
> use: Options -Indexes in the access.conf file".
> However... This DOES work for normal directory listing. However... PHP
seems
> to bypass this. It has it's own permissions or something.

-Indexes just makes it so Apache doesn't show the directory listing via an
HTTP request.  What you described wasn't an HTTP request.  It was a PHP
script using fopen(), executing a system command or something similar.  So
that Apache directive has no effect.

> So.. How do we make PHP abide by these rules too.. because this script i
> have can show u anyting ;)

You have to tell it what the rules are.  On cobalt-security earlier today,
Jan Wildeboer addressed a nearly identical problem posted by someone else.
The solution is to use the open_basedir PHP directive.  See the following
URLs:

http://www.php.net/manual/en/configuration.php#ini.open-basedir
http://www.php.net/manual/en/security.apache.php

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/