The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Serious Security Issue

Discussion in 'Security' started by westhost-neil, Nov 9, 2005.

  1. westhost-neil

    westhost-neil Well-Known Member

    Joined:
    Jun 3, 2005
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    UK
    Hello,

    I've found a serious security problem with the way my server is setup and I don't know how to cure it.

    The issue is as follows:

    Any user on my server can easily gain access to my files using PHP (and maybe Perl).

    I've created a test script in a customers account which contains the following command:
    exec('cp /home/myacct/public_html/index.php /home/useracct/public_html/index.php');

    Now when the user uses the following:

    https://www.mydomain.com/~useracct/script.php (Note the https, this does not work on http).

    When I check, the file has been successfully copied, if someone can do this then it wouldn't take much more work to copy a configuration file containing usernames and passwords.

    I've checked WHM and mod_userdir Protection and php open_basedir Protection are both enabled and no user is excluded.

    The only solution I can think of to get around this problem is to create a new account for myself and redirect the main domain name to a new one.

    A workaround/solution would be very much appreciated.

    Regards

    Neil Westlake
     
  2. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Disable access to the system exec command via php.ini
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup. Welcome to shared web hosting ;) You should make sure that you enable WHM > Tweak Security > open_basedir protection. You could disable some of the php functionality, but that's extremely easy to work around, or just using perl makes it pointless. You should also consider using phpsuexec which will help, and run:

    /scripts/enablefileprotect
     
  4. westhost-neil

    westhost-neil Well-Known Member

    Joined:
    Jun 3, 2005
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    UK
    Nightstorm / Chirpy,

    Thank you for your replies.

    This is not really an option as it's required for cetain accounts that use a specific payment gateway.

    Already done that.

    Did that from day 1.

    What exactly does this do, I would assume it sets the correct permissions?

    Ok the fact that Chirpy has replied without a solution would suggest that one doesn't exist, which is fine as long as I now know about the vunerability I can workaround it.

    Regards

    Neil Westlake
     
    #4 westhost-neil, Nov 9, 2005
    Last edited: Nov 9, 2005
  5. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    Actually pretty easy to block this from mod_sec.


    (Use it at your OWN RISK)

    Example:

    SecFilterSelective THE_REQUEST "exec('cp /home/*"
    SecFilterSelective THE_REQUEST "exec('cp /home/* /home/*"

    This should give you some time!

    This will block any script using the command (cp) using the /home/ path the user can use /../ tought but yeat I don't know if he can exploit true the (../../../) path.


    Any way good luck!!
     
    #5 budway, Nov 9, 2005
    Last edited: Nov 9, 2005
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IIRC, that won't stop it at all and is a very bad way to try and block such things as it adds load to apache when there are much simpler and (performance wise) cheaper ways of doing it.
     
  7. techniman

    techniman Member

    Joined:
    Mar 14, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    just use phpsuexec, then your .php files don't need to be world readable, so other users on the same systen have no access to them.
     
Loading...

Share This Page