The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Downloading of others log files (security alert?)

Discussion in 'Security' started by MattF, Oct 2, 2002.

  1. MattF

    MattF Active Member

    Joined:
    May 5, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    When I ftp to my user account with username_logs@mydomain.com I was able to view and download all accounts log files (excluding ftp logs). Correct me if I'm wrong but isnt this very serious, I could generate a map of someone site and if any information is sent via GET such as passwords or credit card info I could grab this from the logs.
     
  2. Redman

    Redman Member

    Joined:
    Jul 7, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Just a thought, but shouldn't you email this to Nick instead of posting it on a public forum for everyone to see and possibly exploit?
     
  3. Elena

    Elena Well-Known Member

    Joined:
    Aug 10, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    California
    I brought this up with my provider in July. You can stop this from happening by removing world read access (I think chmod 711) for /usr/local/apache/domlogs

    It's only a security issue if you let it be one. :p
    But you should mail Nick about it anyway... it would be nice if each user only had access to their own logs through this feature (dedicated IP clients have this, the users that see what MattF explained are IP-less accounts).

    Redman, it's not really an exploit.. if the domlogs directory doesn't have the correct permissions then any user can get there though the shell.
     
  4. carperman

    carperman Well-Known Member

    Joined:
    Feb 7, 2002
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    Quote
    I brought this up with my provider in July. You can stop this from happening by removing world read access (I think chmod 711) for /usr/local/apache/domlogs
    /quote


    this stops users from not only seeing others logs but their own!!
     
  5. Elena

    Elena Well-Known Member

    Joined:
    Aug 10, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    California
    They can still download the rawlog from the cpanel (just not through this, what I see as unnecessary, FTP option).
     
  6. MattF

    MattF Active Member

    Joined:
    May 5, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    The problem with my /usr/local/apache/domlogs where that http access logs were set as root.root or similar ownership, is that just my setup?. Hence the soluton to set to 711 would disable any point of FTP access for logs, because no one would be able to download the logs, its closes the problem but disables the feature?. I have several clients that use FTP to download the logs hence why I pointed it out and have written a little script (see my other thread) which corrects the problem
     
Loading...
Similar Threads - Downloading others log
  1. tecwithquestion
    Replies:
    1
    Views:
    865

Share This Page