Terrible security on a large server

**Oli Filth** · Dec 6 '05, 04:45 AM

Re: Terrible security on a large server

bio-anomoly said the following on 06/12/2005 04:15:[color=blue]
> I was just giving my PHP a bit of a spin, and I noticed that opendir
> opens EVERYTHING, and unix commands can be executed with the ' grave,
> like this 'ls -lR /'.
>
> Can someone quantify how slack this is? Is it normal practice amongst
> large servers?
>
> When the security is this crap, what else can happen?[/color]

Forgive me if I'm missing something, but surely this is irrelevant as
long as you write decent code, that doesn't allow users to, for
instance, execute arbitrary shell commands?

--
Oli

**Chung Leong** · Dec 6 '05, 05:25 AM

Re: Terrible security on a large server

bio-anomoly wrote:[color=blue]
> I was just giving my PHP a bit of a spin, and I noticed that opendir
> opens EVERYTHING, and unix commands can be executed with the ' grave,
> like this 'ls -lR /'.
>
> Can someone quantify how slack this is? Is it normal practice amongst
> large servers?
>
> When the security is this crap, what else can happen?[/color]

What else can happen? Plenty. Who needs shell commands when PHP itself
is fully capable of destroying itself? The ability to include a remote
script, now that's freaking crazy.

**bio-anomoly** · Dec 6 '05, 05:35 AM

Re: Terrible security on a large server

I'm not sure how relevant it is. Should I be able to read the home
directories of every other user?

If their code is crap, an attacker can read everything on the server,
including any files I've tried to hide.

**Ian** · Dec 6 '05, 07:35 AM

Re: Terrible security on a large server

bio-anomoly wrote:[color=blue]
> I'm not sure how relevant it is. Should I be able to read the home
> directories of every other user?
>[/color]
That depends on how the server is setup, doesn't it?

I never run web applications in the same zone as any user data.
[color=blue]
> If their code is crap, an attacker can read everything on the server,
> including any files I've tried to hide.
>[/color]

Then use a server that can isolate you form the other mugs.

Ian

**bio-anomoly** · Dec 6 '05, 08:05 AM

Re: Terrible security on a large server

>Then use a server that can isolate you form the other mugs.

Might have to. In theory, anyone can go fishing for mysql passwords,
and get any info they want.

**Erwin Moller** · Dec 6 '05, 10:05 AM

Re: Terrible security on a large server

bio-anomoly wrote:
[color=blue]
> I was just giving my PHP a bit of a spin, and I noticed that opendir
> opens EVERYTHING, and unix commands can be executed with the ' grave,
> like this 'ls -lR /'.
>
> Can someone quantify how slack this is? Is it normal practice amongst
> large servers?
>
> When the security is this crap, what else can happen?[/color]

Hi,

Well, that is a common problem.
On many servers the user that runs as apache (www-data) must be able to read
your php-files.

So often a group is created where you, and www-data, and all others on the
same machine are in.
In that way they get access to your files.

A better setup would be that your provider will add www-data to a group with
you alone.
You could ask them to do so.
If they comply you remove all 'everybody' rights from all your files.

Or just pretend to be stupid, call your provider and ask them why you can
access other people's files.
Let THEM come up with a solution, because they created this problem in the
first place. What surely will help is telling them that if they do not
solve the problem, you will leave them and will tell all other users too
about this problem.

Regards,
Erwin Moller

**Jerry Stuckle** · Dec 6 '05, 01:05 PM

Re: Terrible security on a large server

bio-anomoly wrote:[color=blue]
> I was just giving my PHP a bit of a spin, and I noticed that opendir
> opens EVERYTHING, and unix commands can be executed with the ' grave,
> like this 'ls -lR /'.
>
> Can someone quantify how slack this is? Is it normal practice amongst
> large servers?
>
> When the security is this crap, what else can happen?
>[/color]

So - what's the problem? The same can be true with C, Java, perl, asp
or almost any other programming language.

Although security is not the responsibility of the programming language
(it's an OS responsibility! ), there are some things built into PHP - see
safe mode, for instance.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Java Boy** · Dec 6 '05, 08:55 PM

Re: Terrible security on a large server

think about reading /etc/passwd

--
Geeks Home

https://www.fahimzahid.com

"bio-anomoly" <biohazard@gard ener.com> wrote in message
news:1133842536 .168161.211180@ g43g2000cwa.goo glegroups.com.. .[color=blue]
> I was just giving my PHP a bit of a spin, and I noticed that opendir
> opens EVERYTHING, and unix commands can be executed with the ' grave,
> like this 'ls -lR /'.
>
> Can someone quantify how slack this is? Is it normal practice amongst
> large servers?
>
> When the security is this crap, what else can happen?
>[/color]

**Malcolm Dew-Jones** · Dec 6 '05, 10:45 PM

Re: Terrible security on a large server

Java Boy (fahimzahid.nos pam@hotmail.com ) wrote:

: think about reading /etc/passwd

er - what of it? All users on unix-like system can read this file. That
is why the passwords are encrypted, or better yet, stored in a shadow file
that cannot be read by just anyone.

**Malcolm Dew-Jones** · Dec 6 '05, 11:15 PM

Re: Terrible security on a large server

bio-anomoly (biohazard@gard ener.com) wrote:
: I was just giving my PHP a bit of a spin, and I noticed that opendir
: opens EVERYTHING, and unix commands can be executed with the ' grave,
: like this 'ls -lR /'.

: Can someone quantify how slack this is? Is it normal practice amongst
: large servers?

It depends entirely on the server setup, and somewhat on the cost. I.e.
I think that inexpensive hosting plans "often" setup one shared server
with a shared apache account that runs all the cgi and php stuff.

You say you can `ls -lR`, but the real question is whether you can
`rm -r /` (don't try that, though I doubt you can).

Also, each user (including yourself) can probably set the access
permissions on your own files, so that the shared server can only see the
files you allow it to see. That doesn't instantly help when it comes to
reading the database password that your scripts need to read, but it does
mean that you can have files stored on the server that cannot be read if
they aren't web pages.

To control access to a password file (e.g. your database password), write
your application as a suid cgi script. (I'm not sure if you can do this
in php though.) Make your password file unreadable except to yourself.
Now make your script suid to your account. Now apache can run your script
and read the password file, but no one can see what it is, all they can do
is what your script wants them to do.

**JDS** · Dec 7 '05, 03:35 PM

Re: Terrible security on a large server

On Mon, 05 Dec 2005 21:24:49 -0800, bio-anomoly wrote:
[color=blue]
> If their code is crap, an attacker can read everything on the server,
> including any files I've tried to hide.[/color]

But this is not a *PHP* issue, now, is it?

--
JDS | jeffrey@example .invalid
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/

Terrible security on a large server

Terrible security on a large server

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment