The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP security problem; user can view all domains on the server

Discussion in 'Security' started by Tagor, Feb 26, 2005.

  1. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I found the following option so that people can view all domains on the server. Is there a way to secure this without having to enable php safemode? And without having to block every single command?

    First use system("ps -aux"); to view all processes. Then use system("lsof -p 000"); to view the information of a process. That shows the path to all log files of all websites on the server.
     
  2. f0urtyfive

    f0urtyfive Member

    Joined:
    Jan 28, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    This just how linux works, if you dont trust your clients... Without safemode I dont think their is a way...

    If you cant something more interesting, try this:

    PHP:
    <?php
    echo nl2br(`cat /usr/local/apache/conf/httpd.conf`);
    echo 
    nl2br(`cat /etc/passwd`);

    ?>
    [PHP]

    (Backticks do the same as shell.)
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed, welcome to shared web hosting, there is nothing at all you can do about it other than to secure your server properly and use a supported OS. They will still be able to get the information, but they won't be able to do much with it. Oh, and enabling phpsuexec will help with php scripts a bit, but there are implications in doing so.
     
  4. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Have you both, secured your servers for such commands?

    And how about mod_security?
     
  5. f0urtyfive

    f0urtyfive Member

    Joined:
    Jan 28, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Mod_security, from what it looks like, is for blocking attacks through URLS and checking POST data for attacks. This isnt really even an attack, its what shelled users are ALLOWED to do on linux systems. If you think someone having a list of your domains is a "security issue" then your going to have bigger problems than that. (That info can easily be gotten without going anywhere near your server) if your afraid of it so much, turn of PHP safemode, or if you just dont want users going out of their directory use basedir, but your not going to stop people from using shell and backticks without turning on safemode (and then theirs CGI to worry about).
     
  6. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Linux is a multi user OS - as has been mentioned, many ways to get information.

    Oh and being able to read /etc/passwd isn't really much of a security threat, and services need to be able to read that file in order to run.
    As long as you /etc/shadow file isn't readable by others than root, /etc/passwd is useless really and you can get that info elsewhere. There was a problem with cpanel a while ago, where cpanel created a /etc/shadow.tmpeditlib and that was a copy of shadow and it was chmod 644 ;) That has been fixed since cpanel 7 though :)

    Don't be paranoid, but do secure the box, mod security can be used to prevent accesses to files like passwd etc and others, so that stops a lot of remote php script hacking, where the kiddies view files via their web browser, but local users have a few more ways to view what they want to, without using php.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed. Which is why trying to block certain methods (such as certain PHP commands) is a relatively pointless excercise with local users. That's security through obscurity and it is trivial to bypass. Nothing beats sound Linux security and a good AUP to throw at people if they misbehave.
     
  8. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Ok, thanks for the helpfull information. Well I thought it would be a security risks. But people can also get the domains on the server by using whois.sc for example.
     
  9. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
     
  10. f0urtyfive

    f0urtyfive Member

    Joined:
    Jan 28, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    I believe so, why?
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed. As I said before, even if you disabled those functions within PHP, you're still barking up the wrong tree, since you could run a two line perl script to do the same, which you cannot restrict.
     
Loading...

Share This Page