Re: apache + .htpasswd - bypass pwd check

From: RSnake (rsnakeat_private)
Date: Fri Apr 26 2002 - 14:07:05 PDT

Next message: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"

Previous message: MOD: "PHP-Survey Database Access Vulnerability"
In reply to: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Next in thread: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Reply: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

|   Please note that it is safe only if all scripts (PHP, perl, etc) are
| running with user privileges.
|
|   If the suexec wrapped isn't active, or if PHP doesn't run in CGI mode,
| files created by scripts will be owned by the server uid (usually nobody) .
|
|   There are plenty of free PHP and Perl scripts that are coming with an
| "installer". People upload a package to the server, browse an URL to launch
| the installation script, answer a few questions, and files are automatically
| copied into proper locations. These files typically contain passwords for
| SQL databases, and once copied by the installation script, they belong to
| nobody.
|
|   +SymlinksIfOwnerMatch doesn't prevent users from creating a script that
| will create a symbolic link to some other customer's files as nobody. Owners
| will match.
|
|   All symbolic links can be forbidden (-FollowSymlinks and nothing else) .
|
|   But hard links are worse. Apache will follow them regardless of your
| configuration files. As a lot of customers are using the same packages, it's
| quite easy to find out what files have to be linked.
|
|   So, to sleep more quietly :
|
|  - Use suexec.
|
|  - Use PHP safe_mode if you really can't run PHP in CGI mode.
|
|  - Place users home directories in unguessable locations
| (/users/B67h6768/9dqzsu_-zeu/_6p+/john/ , with all directories no read
| attribute on directories) .

	cd ~john

	I don't have to know where it is.  Chrooted jails are the only way to
go.

RRrRRRr. | RSnake at shocking dot com                     0x7A69
RR'  `RR | EHAP Founder / WebFringe.com Founder
RR       | He who made kittens put snakes in the grass.
RR       | DSS:5923 76D7 0EC2 4553 7195 442B 8596 4849 2AA6 1F64

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.

Next message: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Previous message: MOD: "PHP-Survey Database Access Vulnerability"
In reply to: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Next in thread: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Reply: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 15:49:23 PDT