httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary W. Smith" <g...@primeexalia.com>
Subject RE: [users@httpd] Hacked the website replace the index.hm page
Date Mon, 09 May 2005 01:55:19 GMT
Here is the explanation as you have already presented it:

All users sites are owned by httpd
There are multiple user sites, we'll say a-z.
Site a is running PHPbb with a version known to be buggy.
Someone issues a hack against site a.  The hack says modify site b-z.
Apache says, why not, I own the files so I can.
User from site j complains because site is hacked.

The rule of thumb is that apache can edit any file it has read/write
access to.

What we have done in the past to prevent this.  

We have multiple sites running on single boxes and ensure that this
doesn't happen by having the files owned by the user with read-only
access to apache (r/w is assigned by the users at their own risk,
usually only to directories they need to upload to).

If you users fail to update their versions of phpbb there isn't much you
can but it you are also not responsible for their failure to do so.

We also turn on open base dir per virtual instance (all on one line).
php_admin_value open_basedir "/tmp:
/home/whateveruser/html:
/usr/local/horde:
/usr/local/lib"

This might help, but it won't hurt!

> ----- Original Message -----
> From: "Mathew Thomas" <mathew.thomas@rmit.edu.au>
> To: <users@httpd.apache.org>
> Sent: Sunday, May 08, 2005 8:23 PM
> Subject: Re: [users@httpd] Hacked the website replace the index.hm
page
> 
> 
> Hi Tim,
> 
> Could you please explain it bit more. There is no connection between
the
> hacked website and phpBB website.( both are different virtual host).
We
> are
> using php version 4.3.9. Do you mean upgrade php?
> 
> Thanks
> Mathew
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message