Downloading of others log files (security alert?)

[MattF]

When I ftp to my user account with [email protected] I was able to view and download all accounts log files (excluding ftp logs). Correct me if I'm wrong but isnt this very serious, I could generate a map of someone site and if any information is sent via GET such as passwords or credit card info I could grab this from the logs.

 

[Redman]

Just a thought, but shouldn't you email this to Nick instead of posting it on a public forum for everyone to see and possibly exploit?

 

[Elena]

I brought this up with my provider in July. You can stop this from happening by removing world read access (I think chmod 711) for /usr/local/apache/domlogs

It's only a security issue if you let it be one. :p
But you should mail Nick about it anyway... it would be nice if each user only had access to their own logs through this feature (dedicated IP clients have this, the users that see what MattF explained are IP-less accounts).

Redman, it's not really an exploit.. if the domlogs directory doesn't have the correct permissions then any user can get there though the shell.

 

[carperman]

Quote
I brought this up with my provider in July. You can stop this from happening by removing world read access (I think chmod 711) for /usr/local/apache/domlogs
/quote


this stops users from not only seeing others logs but their own!!

 

[Elena]

They can still download the rawlog from the cpanel (just not through this, what I see as unnecessary, FTP option).

 

[MattF]

The problem with my /usr/local/apache/domlogs where that http access logs were set as root.root or similar ownership, is that just my setup?. Hence the soluton to set to 711 would disable any point of FTP access for logs, because no one would be able to download the logs, its closes the problem but disables the feature?. I have several clients that use FTP to download the logs hence why I pointed it out and have written a little script (see my other thread) which corrects the problem