httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] Directories Being Probed Even When Index Listing Denied
Date Wed, 30 Mar 2011 11:35:08 GMT

> You miss understand. A user with ftp access only to a single virtual 
> host can upload a PHP shell to there web space. The PHP shell allows 
> them to login with a made up password they make. Once logged in to the 
> PHP shell they are no longer restricted by there FTP login permissions 
> due to the fact that a PHP shell runs under the www-data account. The 
> fact that they have now hijacked the www-data account using the 
> uploaded PHP shell allows them to see the other virtual hosts  PHP 
> scripts. And even the root directory on the server if the www-data 
> account is not jailed. if it is jailed they are restricted to seeing 
> all virtual hosts on the server. jailed or not jailed you can view 
> your neighborer PHP Code and steel it.
>
> How would one go about preventing this kind of attack while using 
> virtual hosts and PHP.

First, have the files for each virtual host owned by different users. 
  This will prevent someone who comes in via FTP from being able to 
access files belonging to other virtual hosts.  (By the way, you really 
should not use FTP since it is insecure; switch to SFTP instead).

Next, configure Apache to execute the PHP for each virtual host as user 
unique to that virtual host (and different from the user who owns the 
files for that virtual host).  There are several ways to do this, 
including suEXEC, FastCGI, and reverse proxies.  For more information, 
see http://wiki.apache.org/httpd/PrivilegeSeparation

--
   Mark Montague
   mark@catseye.org


Mime
View raw message