Re: [BUGTRAQ] php breaks safe mode

[H D Moore <hdm () secureaustin com>]

On Thursday 05 July 2001 05:11 am, Raptor wrote:
> What do you exactly intend with "minor impact"? A user with the uid of the
> webserver can at least kill the webserver itself... This should definitely
> be an issue for a web hosting provider.

<? system("killall -9 httpd"); ?>

Not completely true.  Apache's master process still runs as root, someone 
with access as the web user could kill the child processes which are passed 
new requests, but they would be restarted.

The more insidous problem with using PHP (module) on an Apache setup is that 
any user can access the scripts of any other user account.  The web server 
user needs reads access to every file to serve it, the Apache process runs 
every user's code under the same account (unless its compiled as a CGI and 
suexec is setup, but that causes its own problems), allowing someone to 
go through the database of a ecom company hosted on the same server quite 
easily. I have seen cases where an attacker would purchase an account (via 
stolen CC of course) on the server of their target, then use the "nobody" 
account to access all of their data (or simply spawn a shell, break root, and 
really own them). I wonder if VirtualHost based user/group directives would 
keep this from happening, does anyone on the list know of a way to protect 
against this?

-HD