-----Original Message-----

From: xxxxx, xxxxxx [mailto: xxxxxxxx@xxxxxxx.xxxxxx]

Sent: Tuesday, September 28, 2004 2:36 PM

To: Nicholas Dunnaway

Subject: RE: Power Server Security


Thanks for the info! I would be curious to know how to fix it. Part of the problem is that because this is a school sever, a certain amount of access is required so that other teachers (who don't have root access) can still move around fairly freely in the environment. But I would be interested in knowing what the apache settings should be set to so that this can't happen. I'm not the one in charge of the server, and there are other people using it, so I doubt anything will get changed. But I would still like to hear what you find out.




-----Original Message-----
From: Nicholas Dunnaway [mailto:xxxxxxxx@xxxxxxx.xxxxxx]
Sent: Tuesday, September 28, 2004 1:26 PM
To: xxxxx, xxxxx
Subject: Power Server Security

I wanted to show you something I came up with the other day. I have a host on another server where we chmod 600 files with passwords in them to keep other people on the same host from seeing our passwords. When I did this on power, apache was unable to read my php files. So I had no choice but to make the files 744 so apache can read them. Because of this I am able to use apache to read any php file on the server.


Here is how. I choose to use phpgrp5 as the account I am attacking.



I change to /home/.



I can see all the users on the server.



As you can see dunnawn does not have access to /home/phpgrp5/. Using this code lets me see into /home/phpgrp5/.


<?php echo `ls -la /home/phpgrp5/`; // Command ?>


and this shows me what’s in the public folder.


<?php echo `ls -la /home/phpgrp5/public_html/`; // Command ?>


<?php highlight_file('/home/phpgrp5/public_html/connect.php'); ?>


Shows the source code for the connect.php script. Getting the MySQL login info.



Here is what the html page looks like (http://power.arc.losrios.edu/~dunnawn/code.php)


I know this is a test environment and in a production environment there is more concern for security. I also am aware that there might not be anything you can do to fix it. I asked around and the info I received is that there is a setting in apache to make it serve files as the user you are logged in as. My concern is just awareness.


Nicholas Dunnaway