Vulnerability Development mailing list archives
Re: apache + .htpasswd - bypass pwd check
From: Jedi/Sector One <j () pureftpd org>
Date: Fri, 26 Apr 2002 18:19:45 +0159
On Thu, Apr 25, 2002 at 12:19:45PM -0400, Jose Nazario wrote:
summary: Options -FollowSymLinks +SymLinksIfOwnerMatch or something similar
Please note that it is safe only if all scripts (PHP, perl, etc) are running with user privileges. If the suexec wrapped isn't active, or if PHP doesn't run in CGI mode, files created by scripts will be owned by the server uid (usually nobody) . There are plenty of free PHP and Perl scripts that are coming with an "installer". People upload a package to the server, browse an URL to launch the installation script, answer a few questions, and files are automatically copied into proper locations. These files typically contain passwords for SQL databases, and once copied by the installation script, they belong to nobody. +SymlinksIfOwnerMatch doesn't prevent users from creating a script that will create a symbolic link to some other customer's files as nobody. Owners will match. All symbolic links can be forbidden (-FollowSymlinks and nothing else) . But hard links are worse. Apache will follow them regardless of your configuration files. As a lot of customers are using the same packages, it's quite easy to find out what files have to be linked. So, to sleep more quietly : - Use suexec. - Use PHP safe_mode if you really can't run PHP in CGI mode. - Place users home directories in unguessable locations (/users/B67h6768/9dqzsu_-zeu/_6p+/john/ , with all directories no read attribute on directories) . -- __ /*- Frank DENIS (Jedi/Sector One) <j () 42-Networks Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
Current thread:
- apache + .htpasswd - bypass pwd check Hallberg Tom (Apr 25)
- RE: apache + .htpasswd - bypass pwd check Golden_Eternity (Apr 26)
- RE: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
- Re: apache + .htpasswd - bypass pwd chec Jonas (Apr 28)
- RE: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Jose Nazario (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
- Re: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Sten (Apr 28)
- Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
- RE: apache + .htpasswd - bypass pwd check Golden_Eternity (Apr 26)