[CLUE-Tech] Cracking websites

[Angelo Bertolli]

But what's the crack?  You can still only do things as apache or 
nobody.  Of course if you're afraid of people seeing certain files, make 
them unreadable by apache.  Linux systems aren't locked down that 
tightly by default.  By default people with shell accounts can read 
lilo.conf, which keeps the password unencrypted.  To fix this problem, 
you make certain files go-rw I guess.  The shadow file is locked down 
though.

Also, you can also tell apache to run "as if another user."  I know with 
virtual hosting you can give it a different user for each site.    I 
think using  <Directory> </Directory> in httpd.conf you can do this too 
for certain directories.

Jed S. Baer wrote:

>Hi Folks.
>
>I'm wondering about website security. In a shared hosting environment,
>under Apache, is there anything to prevent me from reading other users'
>files -- that is, any files which must be readable by the httpd user for
>the site to function?
>
>For example, I could set up a PHP script which executes any shell command
>I enter.
>
> <?php htmlspecialchars(system($mycmd)); ?>
>
>And feed it "ls -la ../.." as a start -- given what I've seen of the
>directory structure of some shared hosting environments, that would give
>me a list of all user directories on the same server (or disk volume).
>
>Proceeding from there, I could look for config files, include files, etc.,
>searching for database user/pass strings, and other things of interest,
>using cat and grep.
>
>This seems like such an obvious crack, I have to think there's a standard,
>effective measure to prevent it. Presumably something in the virtual
>hosting setup that creates the equivalent of a chroot jail -- or is that
>possible only using a virtual server?
>
>jed
>  
>