[CLUE-Tech] Cracking websites
Angelo Bertolli
angelo at freeshell.org
Sat Feb 21 23:01:45 MST 2004
But what's the crack? You can still only do things as apache or
nobody. Of course if you're afraid of people seeing certain files, make
them unreadable by apache. Linux systems aren't locked down that
tightly by default. By default people with shell accounts can read
lilo.conf, which keeps the password unencrypted. To fix this problem,
you make certain files go-rw I guess. The shadow file is locked down
though.
Also, you can also tell apache to run "as if another user." I know with
virtual hosting you can give it a different user for each site. I
think using <Directory> </Directory> in httpd.conf you can do this too
for certain directories.
Jed S. Baer wrote:
>Hi Folks.
>
>I'm wondering about website security. In a shared hosting environment,
>under Apache, is there anything to prevent me from reading other users'
>files -- that is, any files which must be readable by the httpd user for
>the site to function?
>
>For example, I could set up a PHP script which executes any shell command
>I enter.
>
> <?php htmlspecialchars(system($mycmd)); ?>
>
>And feed it "ls -la ../.." as a start -- given what I've seen of the
>directory structure of some shared hosting environments, that would give
>me a list of all user directories on the same server (or disk volume).
>
>Proceeding from there, I could look for config files, include files, etc.,
>searching for database user/pass strings, and other things of interest,
>using cat and grep.
>
>This seems like such an obvious crack, I have to think there's a standard,
>effective measure to prevent it. Presumably something in the virtual
>hosting setup that creates the equivalent of a chroot jail -- or is that
>possible only using a virtual server?
>
>jed
>
>
More information about the clue-tech
mailing list