 |
|
|
|
Next: could someone help me convert a wav file to mpeg
|
| Author |
Message |
External
Since: Aug 26, 2003
Posts: 9
|
(Msg. 1) Posted: Fri Sep 12, 2003 4:21 am
Post subject: Huge hole in apache webservers..
Archived from groups: alt>www>webmaster (more info?)
|
|
|
Greetings everyone,
This is slightly off topic but I wanted some opinions.
Normally, Im a web designer, however, in an ongoing attempt to further
my skills, I decided to take on more ability to do RedHat admin stuff,
so that I can learn the ins and outs, yada, yada, yada..
So, I set up a RH9 linux box on my local network at my office. Enabled
httpd, php, mySQL, sshd, ftpd, and so on. First thing to do is create
some accounts (just like my ISP), and log in with these accounts just
like a client would. I set up a starting index.html pages and tested
them out. First off... each account got the 403 forbidden page? humm..
looked at the permissions, and each account is given only 'rwx' (read,
write, execute) for their directories only.. Ok, if I set the 'rwx'
permissions for world read, wouldn't this open up each users directories
so that anyone can get in, and look around? How are you suppose to set
up directories that the apache httpd can look though, but not the users??
Something seams horribly wrong here?? Since the apache web server is
only given a standard user access (just like another user) than you
have to give your directories standard user read also?? How the heck do
you hide anything, such as databases, php source files, cgi scripts??
To test my theory, I logged into my companies virtual host ISP using
ssh. I was horrified to discover that I could go in and out of hundreds
of virtual web sites simply by going:
/home/some_virutal_site/public_html/
It didn't take me a second before doing a 'vi' on a .php file to simple
look at the mySQL db user/password names.. using these db's couldn't I
just look though these to find credit card info and data??
I don't get it? Am I missing something? How the heck does anyone
expect to run a ecommerce site when it's so insecure?
-Richard |
|
| Back to top |
|
 | |
External
Since: Jul 25, 2003
Posts: 18
|
(Msg. 2) Posted: Fri Sep 12, 2003 4:49 am
Post subject: Re: Huge hole in apache webservers.. [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Fri, 12 Sep 2003 01:21:53 GMT, Richard Ragon <bsema01.DeleteThis@hanaho.com> wrote:
> Greetings everyone,
>
> This is slightly off topic but I wanted some opinions.
>
> Normally, Im a web designer, however, in an ongoing attempt to further
> my skills, I decided to take on more ability to do RedHat admin stuff,
> so that I can learn the ins and outs, yada, yada, yada..
>
> So, I set up a RH9 linux box on my local network at my office. Enabled
> httpd, php, mySQL, sshd, ftpd, and so on. First thing to do is create
> some accounts (just like my ISP), and log in with these accounts just
> like a client would. I set up a starting index.html pages and tested
> them out. First off... each account got the 403 forbidden page? humm..
> looked at the permissions, and each account is given only 'rwx' (read,
> write, execute) for their directories only.. Ok, if I set the 'rwx'
> permissions for world read, wouldn't this open up each users directories
> so that anyone can get in, and look around? How are you suppose to set
> up directories that the apache httpd can look though, but not the users??
You don't. The directories should be at least:
rwx-----x
and files:
rwx---r-x
> Something seams horribly wrong here?? Since the apache web server is
> only given a standard user access (just like another user) than you
> have to give your directories standard user read also?? How the heck do
> you hide anything, such as databases, php source files, cgi scripts??
You don't. That how shared hosting works.
PHP has a "safe_mode" that restricts its access to the web tree. And
a chroot jail can be used to lock users into their own home directories
when they use ssh. But there is usually a way around such restrictions,
via CGI, for example.
> To test my theory, I logged into my companies virtual host ISP using
> ssh. I was horrified to discover that I could go in and out of hundreds
> of virtual web sites simply by going:
>
> /home/some_virutal_site/public_html/
>
> It didn't take me a second before doing a 'vi' on a .php file to simple
> look at the mySQL db user/password names.. using these db's couldn't I
> just look though these to find credit card info and data??
You would hope not. Such data should not be used with shared hosting
accounts.
> I don't get it? Am I missing something? How the heck does anyone
> expect to run a ecommerce site when it's so insecure?
You don't run ecommerce sites on shared hosting setups, for that very reason.
CGI scripts can be setup to execute as the owner which allows them
to be group and world non-readable with the suexec system that Apache uses.
But that can lead to other problems, and CGI scripts can be a bottleneck.
--
Sam Holden<!-- ~MESSAGE_AFTER~ --> |
|
| Back to top |
|
| |
External
Since: Jun 28, 2003
Posts: 578
|
(Msg. 3) Posted: Fri Sep 12, 2003 10:13 am
Post subject: Re: Huge hole in apache webservers.. [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Sam Holden wrote:
> On Fri, 12 Sep 2003 01:21:53 GMT, Richard Ragon <bsema01 RemoveThis @hanaho.com>
> wrote:
>> ...
>> Something seams horribly wrong here?? Since the apache web server is
>> only given a standard user access (just like another user) than you
>> have to give your directories standard user read also?? How the
>> heck do you hide anything, such as databases, php source files, cgi
>> scripts??
>
> You don't. That how shared hosting works.
> ...
/coughs - to attract attention
ever considered there might be a better way - outside of LAMP setups?
--
NT5 - Shared hosting without pain ;o)
William Tasso - <a style='text-decoration: underline;' href="http://WilliamTasso.com" target="_blank">http://WilliamTasso.com</a><!-- ~MESSAGE_AFTER~ --> >> Stay informed about: Huge hole in apache webservers.. |
|
| Back to top |
|
| |
External
Since: Jul 25, 2003
Posts: 18
|
(Msg. 4) Posted: Fri Sep 12, 2003 10:26 am
Post subject: Re: Huge hole in apache webservers.. [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Fri, 12 Sep 2003 07:13:49 +0100, William Tasso <ngx.TakeThisOut@tbdata.com> wrote:
> Sam Holden wrote:
>> On Fri, 12 Sep 2003 01:21:53 GMT, Richard Ragon <bsema01.TakeThisOut@hanaho.com>
>> wrote:
>>> ...
>>> Something seams horribly wrong here?? Since the apache web server is
>>> only given a standard user access (just like another user) than you
>>> have to give your directories standard user read also?? How the
>>> heck do you hide anything, such as databases, php source files, cgi
>>> scripts??
>>
>> You don't. That how shared hosting works.
>> ...
>
> /coughs - to attract attention
>
> ever considered there might be a better way - outside of LAMP setups?
Yes, but the OP was talking about that particular setup. And that's
how it works.
--
Sam Holden<!-- ~MESSAGE_AFTER~ --> >> Stay informed about: Huge hole in apache webservers.. |
|
| Back to top |
|
| |
External
Since: Jun 30, 2003
Posts: 285
|
(Msg. 5) Posted: Sat Sep 13, 2003 10:48 am
Post subject: Re: Huge hole in apache webservers.. [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Richard Ragon" <bsema01 DeleteThis @hanaho.com> wrote in message
news:Rc98b.1522$Gy4.60@newssvr29.news.prodigy.com...
> Greetings everyone,
>
> This is slightly off topic but I wanted some opinions.
>
> Normally, Im a web designer, however, in an ongoing attempt to further
> my skills, I decided to take on more ability to do RedHat admin stuff,
> so that I can learn the ins and outs, yada, yada, yada..
>
> So, I set up a RH9 linux box on my local network at my office. Enabled
> httpd, php, mySQL, sshd, ftpd, and so on. First thing to do is create
> some accounts (just like my ISP), and log in with these accounts just
> like a client would. I set up a starting index.html pages and tested
> them out. First off... each account got the 403 forbidden page? humm..
> looked at the permissions, and each account is given only 'rwx' (read,
> write, execute) for their directories only.. Ok, if I set the 'rwx'
> permissions for world read, wouldn't this open up each users directories
> so that anyone can get in, and look around? How are you suppose to set
> up directories that the apache httpd can look though, but not the users??
Set up Apache as nobody and chmmod all filles to 700
> Something seams horribly wrong here?? Since the apache web server is
> only given a standard user access (just like another user) than you
> have to give your directories standard user read also?? How the heck do
> you hide anything, such as databases, php source files, cgi scripts??
Run PhP as a cgi with user = siteowner
DBs are stored out of doc root - usually on a shared system even the 'owner'
cannot get direct access - only through scripts or an inteface like
phpMyAdmin - all of which require username/password which of course will
only give access to the users stuff.
>
> To test my theory, I logged into my companies virtual host ISP using
> ssh. I was horrified to discover that I could go in and out of hundreds
> of virtual web sites simply by going:
>
> /home/some_virutal_site/public_html/
>
> It didn't take me a second before doing a 'vi' on a .php file to simple
> look at the mySQL db user/password names.. using these db's couldn't I
> just look though these to find credit card info and data??
>
> I don't get it? Am I missing something? How the heck does anyone
> expect to run a ecommerce site when it's so insecure?
The problem is not with Apache, it is with the way some hosts set up their
system!
For e-commerce sites the level of share should not go beyond VPS. This way
each site hosted runs it's own Apache server as its root (not su) Id. and
others on the same machine do not have access.<!-- ~MESSAGE_AFTER~ --> >> Stay informed about: Huge hole in apache webservers.. |
|
| Back to top |
|
| |
| Related Topics: | | Apache rewrite for moved pages? - Hello all! Does anyone know the syntax for creating a rewrite rule for an .htaccess file used for the following purpose? We have upgraded from MyPHPNuke to PostNuke on our site and any links to our old site will be broken. Here is a couple of examples o... |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
