You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/06/21 21:49:31 UTC
DO NOT REPLY [Bug 10135] New: -
users can view other user's web files through apache/php rights
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10135>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10135
users can view other user's web files through apache/php rights
Summary: users can view other user's web files through apache/php
rights
Product: Apache httpd-1.3
Version: 1.3.23
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Major
Priority: Other
Component: Auth/Access
AssignedTo: bugs@httpd.apache.org
ReportedBy: tpalanga@hotmail.com
Hi.
Suppose we have a dedicated web server with 100 (or more) users. We configure
Apache so it will see every user's web files.
So we have user x and user y, User x cannot see or read the y's web files or
other files, but he is smart and somehow finds a mode to break into y's web
(especially in the case with /home/y/public_html setting --- every user knows
that user xxyy has an public_html in his home dir, so he exploits it). How ? By
Apache's rights. Does Apache have the rights to read ALL USERS web files ? YES.
So x makes a browsing system and he uses Apache's rights to read ALL USERS
web files for reading y's web files. So x reads x's config.php (or anything
else) and he finds out the database user and pass. What next ?
So, I tink it's a bad thing (in fact it's a major security problem) for php
and Apache to use general rights for every user. Can Apache be configured as an
user-level multi-user-threaded server or this is a SECURITY BUG ?
I think someone (at least PHP&Apache) cares.
Best regards
Tudor Palanga.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org