[CLUE-Tech] Re: Cracking websites
jim feldman
jmf at jim-liesl.org
Sun Feb 22 14:22:11 MST 2004
It's not like the Apache folks haven't thought about this either. Check
out the suEXEC wrapper and the User directive for <VirtualHost>.
"chrooted" apache is doable but very ugly from a maintenance
perspective. You could look at User-mode-linux, but thats overkill for
what you need. Check out the following link:
http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html
FreeBSD just did a better job addressing this need. The only downside
is that each "jail" needs it's own unique ipaddr.
jim
> Hi Folks.
>
> I'm wondering about website security. In a shared hosting environment,
> under Apache, is there anything to prevent me from reading other users'
> files -- that is, any files which must be readable by the httpd user for
> the site to function?
>
> For example, I could set up a PHP script which executes any shell command
> I enter.
>
> <?php htmlspecialchars(system($mycmd)); ?>
>
> And feed it "ls -la ../.." as a start -- given what I've seen of the
> directory structure of some shared hosting environments, that would give
> me a list of all user directories on the same server (or disk volume).
>
> Proceeding from there, I could look for config files, include files, etc.,
> searching for database user/pass strings, and other things of interest,
> using cat and grep.
>
> This seems like such an obvious crack, I have to think there's a standard,
> effective measure to prevent it. Presumably something in the virtual
> hosting setup that creates the equivalent of a chroot jail -- or is that
> possible only using a virtual server?
>
> jed
--
BSD is what you get when a bunch of Unix hackers sit down to try to port
a Unix system to the PC. Linux is what you get when a bunch of PC
hackers sit down and try to write a Unix system for the PC.<Matt Fuller>
More information about the clue-tech
mailing list