httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 10135] New: - users can view other user's web files through apache/php rights
Date Fri, 21 Jun 2002 19:49:31 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10135>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10135

users can view other user's web files through apache/php rights

           Summary: users can view other user's web files through apache/php
                    rights
           Product: Apache httpd-1.3
           Version: 1.3.23
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Auth/Access
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: tpalanga@hotmail.com


Hi.
Suppose we have a dedicated web server with 100 (or more) users. We configure 
Apache so it will see every user's web files.
 So we have user x and user y, User x cannot see or read the y's web files or 
other files, but he is smart and somehow finds a mode to break into y's web 
(especially in the case with /home/y/public_html setting --- every user knows 
that user xxyy has an public_html in his home dir, so he exploits it). How ? By 
Apache's rights. Does Apache have the rights to read ALL USERS web files ? YES.
  So x makes a browsing system and he uses Apache's rights to read ALL USERS 
web files for reading y's web files.  So x reads x's config.php (or anything 
else) and he finds out the database user and pass. What next ?
 
  So, I tink it's a bad thing (in fact it's a major security problem) for php 
and Apache to use general rights for every user. Can Apache be configured as an 
user-level multi-user-threaded server or this is a SECURITY BUG ?
  
  I think someone (at least PHP&Apache) cares.
  Best regards
  Tudor Palanga.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message