Community Forums
Connect with us on LinkedIn
User with simple script can read and list file
  
+ Reply to Thread
Results 1 to 5 of 5
  1. 01-07-2004 03:02 PM #1
    Venomous
    Venomous is offline
    Member
    Join Date
    May 2003
    Posts
    8

    Exclamation User with simple script can read and list file

    Hello,
    i have posted the same question on the RS forum, this is my question.
    I'm using cpanel by some months, but only for one large site. Yesterday with a simple perl script, this one http://brawl-hall.com/pages/downloads/telnet.tar.gz i have noticed that everyone from the browser can read the password file, list the /etc direcorty and more. I have never studied cpanel a lot, but due to the fact that i'm going to launch a free based hosting that use a a mysql authentication also fot proftpd, i have seen that everyone can read the password in /etc/proftpd.conf. I'm a bit confused is possible that Cpanel don't have a features for chroot every account? i have searched this forum, but no luck. The idea to let all user read the file on my machine is terrible Any suggestion are very welcome.
    Thanks in advance.
    Reply With Quote Reply With Quote
  2. 05-11-2004 07:55 PM #2
    jdp
    jdp is offline
    Member
    Join Date
    Apr 2004
    Posts
    14

    Default

    I just noticed the same thing myself today. This is a MAJOR SECURITY PROBLEM!

    The files in /etc/proftpd were all set world readable! These files contain an exact copy of the system passwords for each user so anyone with shell access could log in and and download the password files, crack them, and gain access.

    I did a simple
    cd /etc/proftpd
    chmod 640 *
    chmod 660 passwd.vhosts

    to correct the problem, at least for now but this is a major issue that should not be overlooked!
    Reply With Quote Reply With Quote
  3. 05-24-2004 09:13 AM #3
    alex042
    alex042 is offline
    Member
    Join Date
    Sep 2003
    Posts
    76

    Default

    What security do you have enabled?

    suexec is supposed to help control cgi/perl scripts, phpsuexec with php scripts, safe_mode should prevent people from running some of those scripts, openbase_dir should confine people to their directories. Maybe a combination of these will keep your server more secure.
    WorXCenter, LLC
    Reply With Quote Reply With Quote
  4. 05-24-2004 09:35 AM #4
    jdp
    jdp is offline
    Member
    Join Date
    Apr 2004
    Posts
    14

    Default

    Originally posted by alex042

    suexec is supposed to help control cgi/perl scripts, phpsuexec with php scripts, safe_mode should prevent people from running some of those scripts, openbase_dir should confine people to their directories. Maybe a combination of these will keep your server more secure. [/B]
    That might very well help attacks over the web, but when users have shell access all bets are off unless they are jailed into their home dirs.
    Reply With Quote Reply With Quote
  5. 05-24-2004 09:55 AM #5
    dgbaker
    dgbaker is offline
    Moderator cPanel Partner NOC Badge dgbaker's Avatar
    Join Date
    Sep 2002
    Location
    Toronto, Ontario Canada
    Posts
    2,773

    Default

    Your users should be jailed and not have pure ssh.
    Regards,
    David
    Forum Moderator
    Reply With Quote Reply With Quote
«   cPanel pro? | Cpanel File Manager (viewing files trouble »     
Similar Threads & Tags
Similar threads

  1. Newbie, Need help with simple script =)
    By Orsenfelt in forum Database Discussions
    Replies: 2
    Last Post: 08-11-2008, 02:04 PM
  2. HOWTO: WHM/Exim Simple Mailing List
    By tawfiq in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 11-03-2006, 05:33 AM
  3. Simple question about web hosting accounts please read
    By lexmark in forum cPanel and WHM Discussions
    Replies: 3
    Last Post: 03-30-2004, 04:57 AM
  4. need a simple linux script
    By webbhost in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 03-17-2004, 04:50 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube