[21364] in bugtraq
Re: [BUGTRAQ] php breaks safe mode
daemon@ATHENA.MIT.EDU (H D Moore)
Fri Jul 6 00:53:51 2001
X-Qmail-Scanner-Mail-From: hdm@secureaustin.com via webserver
X-Qmail-Scanner-Rcpt-To: raptor@0xdeadbeef.eu.org bugtraq@securityfocus.com
Content-Type: text/plain;
charset="iso-8859-1"
From: H D Moore <hdm@secureaustin.com>
To: Raptor <raptor@0xdeadbeef.eu.org>, bugtraq@securityfocus.com
Date: Thu, 5 Jul 2001 14:31:42 -0500
In-Reply-To: <Pine.BSO.4.21.0107051208100.2587-100000@voodoo.rewt.mil>
MIME-Version: 1.0
Message-Id: <0107051431420A.00708@sliver>
Content-Transfer-Encoding: 8bit
On Thursday 05 July 2001 05:11 am, Raptor wrote:
> What do you exactly intend with "minor impact"? A user with the uid of the
> webserver can at least kill the webserver itself... This should definitely
> be an issue for a web hosting provider.
<? system("killall -9 httpd"); ?>
Not completely true. Apache's master process still runs as root, someone
with access as the web user could kill the child processes which are passed
new requests, but they would be restarted.
The more insidous problem with using PHP (module) on an Apache setup is that
any user can access the scripts of any other user account. The web server
user needs reads access to every file to serve it, the Apache process runs
every user's code under the same account (unless its compiled as a CGI and
suexec is setup, but that causes its own problems), allowing someone to
go through the database of a ecom company hosted on the same server quite
easily. I have seen cases where an attacker would purchase an account (via
stolen CC of course) on the server of their target, then use the "nobody"
account to access all of their data (or simply spawn a shell, break root, and
really own them). I wonder if VirtualHost based user/group directives would
keep this from happening, does anyone on the list know of a way to protect
against this?
-HD
