Re: apache + .htpasswd - bypass pwd check

From: Jedi/Sector One (j@pureftpd.org)
Date: 04/26/02 

Date: Fri, 26 Apr 2002 18:19:45 +0159
From: Jedi/Sector One <j@pureftpd.org>
To: Jose Nazario <jose@monkey.org>

On Thu, Apr 25, 2002 at 12:19:45PM -0400, Jose Nazario wrote:
> summary:
> Options -FollowSymLinks +SymLinksIfOwnerMatch or something similar

  Please note that it is safe only if all scripts (PHP, perl, etc) are
running with user privileges.

  If the suexec wrapped isn't active, or if PHP doesn't run in CGI mode,
files created by scripts will be owned by the server uid (usually nobody) .

  There are plenty of free PHP and Perl scripts that are coming with an
"installer". People upload a package to the server, browse an URL to launch
the installation script, answer a few questions, and files are automatically
copied into proper locations. These files typically contain passwords for
SQL databases, and once copied by the installation script, they belong to
nobody.

  +SymlinksIfOwnerMatch doesn't prevent users from creating a script that
will create a symbolic link to some other customer's files as nobody. Owners
will match.

  All symbolic links can be forbidden (-FollowSymlinks and nothing else) .
  
  But hard links are worse. Apache will follow them regardless of your
configuration files. As a lot of customers are using the same packages, it's
quite easy to find out what files have to be linked.

  So, to sleep more quietly :
  
 - Use suexec.
 
 - Use PHP safe_mode if you really can't run PHP in CGI mode.
 
 - Place users home directories in unguessable locations
(/users/B67h6768/9dqzsu_-zeu/_6p+/john/ , with all directories no read
attribute on directories) . 

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/     Secure FTP Server     \' /
  \/   Misc. free software   \/

Relevant Pages

  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... insecure web application written in PHP, although attacks for other ... The main reason for this is that many different PHP applications are ... and you've found your way to execute shell code on the remote web server. ... those scripts were put in place. ...
    (Bugtraq)
  • Re: What are the differences between Perl and PHP when handling with Web pages
    ... I will look for the modules mentioned below on cpan.org in order to understand how they work and how to write scripts using them. ... PHP is more limited than perl, but much simple to use for simple web pages ... PHP and Perl can run a program as a CGI script, but it is not recommended to ...
    (perl.beginners)
  • Re: Perl to use and create PHP sessions?
    ... the main area (PHP driven), they should be able to use my contributed ... Ideally, if they hit my scripts first and log in there, they ... I've rolled out my own custom sessions for the Perl scripts, ... logging in and using all areas (PHP or Perl ...
    (comp.lang.perl.misc)
  • Re: [Full-disclosure] Web Server Botnets and Server Farms as Attack Platforms
    ... insecure web application written in PHP, although attacks for other ... The main reason for this is that many different PHP applications are ... and you've found your way to execute shell code on the remote web server. ... those scripts were put in place. ...
    (Full-Disclosure)
  • threadsort
    ... I recently translated a file-based perl cgi bulletin board ... script to php. ... Both scripts now produce the same output. ... first string in each array of string. ...
    (comp.lang.php)