[CLUE-Tech] Cracking websites
Angelo Bertolli
angelo at freeshell.org
Sun Feb 22 15:02:05 MST 2004
Maybe I'm being naive, but what I don't understand is how this is much
of a problem. If something is world readable, then it is already
readable by anyone. If something is readable by nobody, then it is
readable by the people on the net. This is why cgi scripts and php
scripts themselves are meant to be secured. Whenever I have a file
which is world readable on my account, I always remember that it's world
readable... secondly, I don't write php scripts which allow anyone to
execute commands on the server. As a user of the server I have certain
priviledges that others don't. So just at the operating system level
there isn't any life-or-death insecurity with this.
Also, you are right about PHP having some defenses against this. I know
that PHP defaults to not allowing uploads, for example. Perl scripts
and C programs are in the CGI category, whereas PHP is a module in
Apache. For CGI you can make these programs suid for a certain user,
for PHP well... I'd like to know if you tested the example you gave us
before to see exactly how far Apache let you go.
But also note that the free hosting sites usually do not allow cgi or
php, and the if you are given cgi/php priveledges, you are expected to
be responsible with it. Still, some people aren't--for example there
was an incident recently on the server I'm hosted on where people were
using uploads as a way of circumventing the quotas set on accounts,
because apache/nobody must be allowed to own lots of data on the disk.
Also, as per your example, I think you must know exactly where the files
are located. I'm not sure executing ls is possible unless you know
where ls is. I could be wrong, but I don't think the PHP script has a
PATH associated with it.
I'd be interested in anything you find out. Do you specifically want to
tell apache not to allow any php script to read a directory which is not
within its own directory or subdirectories or something?
Angelo
>Therefore, files in other peoples directories must also follow the same
>constraints.
>
>Since my cracking script runs as the httpd daemon user, anything the httpd
>daemon can read, my script can read.
>
>It appears that PHP has some ways of addressing this, and I imagine Perl
>does too. But since it's possible to write CGI programs using shell
>scripting, C, or any language the host provides, the restriction should
>really be handled in the web server itself.
>
>jed
>
>
More information about the clue-tech
mailing list