The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

world-readable wp-config.php and configuration.php files (SuPHP)

Discussion in 'Security' started by BigLebowski, Jul 7, 2011.

  1. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    hi there

    Fantastico appears to leave these files 644 on installation which allows any server user to obtain the database user password and plunder the application. Quite often the password is the Cpanel password which permits a full account rape. I don't know if these files have the universe read bits set following a standard Cpanel install using the "Software" section?

    Anyone any ideas on how to change the install so it chmods these 600 or 700 ?

    I am running Suphp so 600 or 700 work fine.

    Best
    Dude
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    How does 'any server user' get to and read this files contents? The database password is auto generated by Fantastico, I've never noticed it being the same as the cPanel password.

    I'm assuming you have the PHPsuexec option set to installed in Fantastico settings?
     
  3. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    10
    Trophy Points:
    18
    The permissions on a user's public_html/ directory when using suphp should be 0750, user:nobody. This prevents any server user from wandering into other users' public_html/ directories and viewing world readable files. This is the default behavior when using suphp with cPanel. That's not to say that other attacks may not be possible, or that having a file world readable when it doesn't need to be is a good idea. I just wanted to clarify the permissions structure.
     
  4. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Jeff. I initially thought it was a vulnerability due to finding folders on hacked accounts full of tens of thousands of these entries:

    lrwxrwxrwx 1 simo5953 simo5953 43 Jul 9 10:37 zoec89994.txt -> /home/zoec8999/public_html/admin/config.php
    lrwxrwxrwx 1 simo5953 simo5953 41 Jul 9 10:37 zoec89995.txt -> /home/zoec8999/public_html/admin/conf.php
    lrwxrwxrwx 1 simo5953 simo5953 42 Jul 9 10:37 zoec89996.txt -> /home/zoec8999/public_html/conf_global.php
    lrwxrwxrwx 1 simo5953 simo5953 41 Jul 9 10:37 zoec89997.txt -> /home/zoec8999/public_html/include/db.php
    lrwxrwxrwx 1 simo5953 simo5953 38 Jul 9 10:37 zoec89998.txt -> /home/zoec8999/public_html/connect.php
    lrwxrwxrwx 1 simo5953 simo5953 38 Jul 9 10:37 zoec89999.txt -> /home/zoec8999/public_html/mk_conf.php
    lrwxrwxrwx 1 simo5953 simo5953 49 Jul 9 10:37 zoec8999.txt -> /home/zoec8999/public_html/vb/includes/config.php

    As you can see, they are "guesses" at locations of config files. This is presumably a powerful attack on servers running without SuPHP, but I agree, the links don't seem to benefit a hacker on a SuPHP server.

    I am still left with tens of Wordpress accounts hacked and only a handful of C99 type shells and mailers left in the hacker's wake. The Wordpress versions are 3.1.2 and 3.2 and the index pages modified tend to be in the themes folders. I don't think there's a general vulnerability in Wordpress or the themes, but we do run Fantastico and I note that vulnerabilites exist for that.

    Once a hacker has accessed one account and has gleaned all the Cpanel usernames (a simple task), what's to stop a scripted brute force attack from localhost on pop3 or ftp?

    Dude
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    How does one glean all cPanel usernames from one account?

    Wordpress on a non SuPHP server presumably has directories that are owned by nobody, correct? The wordpress owner uploads a theme or mod via the wp-admin and that php upload process changes the owner of the files and any directories the upload may create. We don't want nobody owning anything inside public_html.

    Do you by chance use CXS? ConfigServer eXploit Scanner (cxs)
     
  6. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    I was using a shell the hackers left behind. There was a function called "list Cpanel users" or similar. I pressed the button and hey presto, a full list of users was presented.

    The box is not rooted. However I have a strong suspicion it is vulnerable to the Fantastico LFI vulnerability. If you like, I can probably find the shell and post it somewhere for you.

    Best
    Dude
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    No thanks, I've seen my share. I would not suggest you do something like that unless you're sure of what you're doing.

    It sounds like you do of course, I just want to mention here that hidden in those sorts of scripts may be lines of code that contain an email address to send details to. You might not see it if it's encoded but it can happen I would think.

    To check those sorts of scripts out closer should be done on a test server behind a firewall locked down tight.
     
  8. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    hi there, I should point out I'm just browsing the shells using a web browser without any escalated priviliges. The hacked accounts are riddled with them and the access logs show the hackers using them. Whatever I'm doing, they can do also.

    Do you have any more info re. the Fantastico LFI vulnerability? I am looking for a clear script or method to check for it but the links so far provide a general concept. Specifically, when I visit http://test.com:2082/fantasticopath/.... etc I'm just presented with a Cpanel login. Does the file inclusion still operate despite not entering valid Cpanel credentials?

    Also has Fantastico patched for this yet?

    Best
    Dude
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Are you speaking of this ?

    You cannot get to the .fantastico directory from your browser, it's outside public_html.
     
  10. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    No, I have since determined the hack is via symbolic link.

    All it takes is one account to be hacked, eg fred.com. Hacker then creates a symbolic link to "/" such as 1.txt --> "/"
    He can then browse using a web browser http://test.com/1.txt/home/user/public_html/

    where "user" is any Cpanel account. Usernames are easily obtainable via http://test.com/1.txt/home/ and also via /etc/passwd which is world-readable. Permissions are:

    / - 755 - root.root
    /home - 755 - root.root
    /home/user - 711 - user.user
    /home/user/public_html - 750 - user.nobody

    This would not be a problem if all users' sensitive files were chmod 600. But on this server, Fantastico creates new WP installs using 644. Therefore all Wordpress installs can be plundered.

    I have scripted a chmod 600 on all wp-config.php which should help and am now doing Joomla (configuration.php)

    This is a SuPHP server.

    Best
    Dude
     
  11. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
  12. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Tristan, this is not a Fantastico issue as far as I can see. It is a linux file system vulnerability (we use Centos; not sure about any other OS?). I am liaising with your Dave Lanning presently. The only workaround I can envisage is to put a wrapper around "ln" and chmod 600 all database config files in user areas on the server. Then perhaps put in a place a cron to fix any configs the user changes.

    This is of concern for CPanel if any apps in the "Software" section set the universal read bit by default on database config files.

    Best
    Dude
     
  13. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You had mentioned the following:

    Even if we do fix the Software installs we perform in that sections for such scripts, this will not fix how Fantastico installs scripts for that 3rd party application. It isn't just a cPanel issue. It is an issue for any software automated to install with the permissions you've mentioned. If you want it fixed in Fantastico, then makers of Fantastico would need to be informed of your concerns.
     
  14. abrakadabra

    abrakadabra Member

    Joined:
    Dec 14, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Even though files are accessible by httpd through symlink, you can't see contents of script files (.php, etc..) from httpd, as they would only execute. You would need to use your php or cgi scripts with some file reading code in order to read contents of these files, however if you are running suPHP and suEXEC, you won't be able to read others files, no matter what permissions they are, since you cannot go through others public_html directory (750 user:nobody), as you ain't "user" nor "nobody" when you execute your scripts from your account/directory with suPHP or suEXEC in case of cgi.

    /home should be 711 root:root, if you are running suPHP.

    So, i don't see how others wp-config.php even with permissions of 777 is exploitable when using suPHP and suExec.
     
  15. jimhermann

    jimhermann Active Member

    Joined:
    Jan 20, 2008
    Messages:
    42
    Likes Received:
    1
    Trophy Points:
    8
    abrakadabra,

    SuPHP and SuExec do not appear to stop this exploit. They have used a .htaccess file to make the contents of the symlinked .php files viewable.

    Jim
     
  16. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Jim,

    That's a 12 month old thread that you've resurrected, very out of date now.

    The more recent discussion is at: http://forums.cpanel.net/f185/how-prevent-creating-symbolic-links-non-root-users-202242-p6.html
    With a patch at: http://forums.cpanel.net/f185/how-p...inks-non-root-users-202242-p2.html#post996441
    and also read the last few pages of the thread for discussion about permissions.

    The exploit links another account's config file in to the attacker's account with a .txt extension, so they don't actually need to change .htaccess at all to be able to see the contents.

    Theoretically, installatron and fantastico should also change permissions on their wp-config.php files etc, but they don't, or didn't last time I looked.

    This bug has been characterized by everyone passing the buck and refusing to fix it, cPanel included. At the end of the day thousands of servers are getting hacked here because of inaction from all the players concerned. Surprisingly, there are major hosts that still don't understand how to fix this (apply the patch, go through all .php files and make them mode 600. assuming you are running under suphp).
     
  17. InstallatronPhil

    Joined:
    Jul 2, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Phil from the Installatron team here.

    Recent versions of Installatron do actually set chmod 0600 or 0400 (depending on what the app wants) on the app config file (under SuPHP-enabled web servers only, of course). As installations are upgraded through Installatron they will also pick up these permissions.

    Thank you,
    Phil
     
  18. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Congratulations to Installatron for a really nicely thought out feature; well done! Pat yourself on the back, you've probably saved many thousands of sites.

    In this instance, I'm loving being proved totally wrong! :)
     
Loading...
Similar Threads - world readable config
  1. ItsMattSon
    Replies:
    6
    Views:
    135

Share This Page