From: xxxxx, xxxxxx [mailto: email@example.com]
Sent: Tuesday, September 28, 2004 2:36 PM
To: Nicholas Dunnaway
Subject: RE: Power Server Security
Thanks for the info! I would be curious to know how to fix it. Part of the problem is that because this is a school sever, a certain amount of access is required so that other teachers (who don't have root access) can still move around fairly freely in the environment. But I would be interested in knowing what the apache settings should be set to so that this can't happen. I'm not the one in charge of the server, and there are other people using it, so I doubt anything will get changed. But I would still like to hear what you find out.
From: Nicholas Dunnaway [mailto:firstname.lastname@example.org]
Sent: Tuesday, September 28, 2004 1:26 PM
To: xxxxx, xxxxx
Subject: Power Server Security
I wanted to show you something I came up with the other day. I have a host on another server where we chmod 600 files with passwords in them to keep other people on the same host from seeing our passwords. When I did this on power, apache was unable to read my php files. So I had no choice but to make the files 744 so apache can read them. Because of this I am able to use apache to read any php file on the server.
is how. I choose to use
the account I am attacking.
I change to /home/.
I can see all the users on the server.
you can see dunnawn does not have access to /home/
phpgrp5/. Using this code lets me
see into /home/
this shows me what’s in the public folder.
the source code for the connect.php script.
Getting the MySQL login info.
Here is what the html
page looks like (http://power.arc.losrios.edu/~dunnawn/code.php)
I know this is a test
environment and in a production environment there is more concern for security.
I also am aware that there might not be anything you can do to fix it. I asked
around and the info I received is that there is a setting in apache to make it serve
files as the user you are logged in as. My concern is just awareness.