[CLUE-Tech] Cracking websites

Angelo Bertolli angelo at freeshell.org
Sun Feb 22 15:02:05 MST 2004 

Maybe I'm being naive, but what I don't understand is how this is much 
of a problem.  If something is world readable, then it is already 
readable by anyone.  If something is readable by nobody, then it is 
readable by the people on the net.  This is why cgi scripts and php 
scripts themselves are meant to be secured.  Whenever I have a file 
which is world readable on my account, I always remember that it's world 
readable... secondly, I don't write php scripts which allow anyone to 
execute commands on the server.  As a user of the server I have certain 
priviledges that others don't.  So just at the operating system level 
there isn't any life-or-death insecurity with this.

Also, you are right about PHP having some defenses against this.  I know 
that PHP defaults to not allowing uploads, for example.  Perl scripts 
and C programs are in the CGI category, whereas PHP is a module in 
Apache.  For CGI you can make these programs suid for a certain user,  
for PHP well... I'd like to know if you tested the example you gave us 
before to see exactly how far Apache let you go.

But also note that the free hosting sites usually do not allow cgi or 
php, and the if you are given cgi/php priveledges, you are expected to 
be responsible with it.  Still, some people aren't--for example there 
was an incident recently on the server I'm hosted on where people were 
using uploads as a way of circumventing the quotas set on accounts, 
because apache/nobody must be allowed to own lots of data on the disk.

Also, as per your example, I think you must know exactly where the files 
are located.  I'm not sure executing ls is possible unless you know 
where ls is.  I could be wrong, but I don't think the PHP script has a 
PATH associated with it.

I'd be interested in anything you find out.  Do you specifically want to 
tell apache not to allow any php script to read a directory which is not 
within its own directory or subdirectories or something?

Angelo

>Therefore, files in other peoples directories must also follow the same
>constraints.
>
>Since my cracking script runs as the httpd daemon user, anything the httpd
>daemon can read, my script can read.
>
>It appears that PHP has some ways of addressing this, and I imagine Perl
>does too. But since it's possible to write CGI programs using shell
>scripting, C, or any language the host provides, the restriction should
>really be handled in the web server itself.
>
>jed
>  
>

More information about the clue-tech mailing list