[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] HACK !! - PHP HTTP File Editor

Subject: Re: [cobalt-users] HACK !! - PHP HTTP File Editor
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Sat Jan 18 16:49:12 2003
Organization: Befriend Internet Services LLC
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

"Steven Depuydt - www.BeNe.WS" <Steven@xxxxxxx> wrote:
> I downloaded this little PHP script from the following location:
> http://www.gintonyx.de/php_html_editor.html
>
> With this script it's possible that ANY user of your server with
FTP-access
> (to copy the PHP-files to your server), can BRWOSE & READ the COMPLETE
> directory structure of your server with his browser !!
>
> So it's possible to VIEW/READ EVERY FILE on the server.

I think you really mean every file that has permissions of world readable or
is owned by the Apache user and is user readable.

> Even the files that
> are not owned by that user !!

This is standard Unix/Linux behavior.

> So it's possible to view the passwords & logins of the MySQL databases in
> PHP-files.

This is a known risk of running Apache in a shared user environment.  This
won't address users who have shell access and/or try to accomplish the same
via scripts in other languages (C, Perl, Python, etc.), but will tighten
PHP.  See the following sections of the PHP manual:

http://www.php.net/manual/en/security.php
http://www.php.net/manual/en/features.safe-mode.php#ini.safe-mode

Pay particular attention to the Apache directives safe_mode* and
open_basedir.

> That user can hack your database and who nows what else he can find on
your
> server.

Unfortunately, the mistake is blaming the script as files with the
permissions/ownership I describe above were always vulnerable.  I could
write a script in under 2 minutes that loops through all of the sites,
stores all file locations to a file, records the contents of all .htaccess
files and checks for db passwords then emails them to me.  And I'm not
trying to toot my own horn - this is trivial for a local user to do or a
remote user taking advantage of a poorly written file upload script (not
saying such a beast exists on your server, but I've seen plenty).

> What can we do against this ?

See above.  Hope that helps.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- [cobalt-users] HACK !! - PHP HTTP File Editor
  - From: Steven Depuydt - www.BeNe.WS

Prev by Date: Re: [cobalt-users] Rpm-a on raq3
Next by Date: Re: [cobalt-users] HACK !! - PHP HTTP File Editor
Previous by thread: RE: [cobalt-users] HACK !! - PHP HTTP File Editor
Next by thread: Re: [cobalt-users] HACK !! - PHP HTTP File Editor

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index