You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/06/21 21:49:31 UTC

DO NOT REPLY [Bug 10135] New: - users can view other user's web files through apache/php rights

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10135>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10135

users can view other user's web files through apache/php rights

           Summary: users can view other user's web files through apache/php
                    rights
           Product: Apache httpd-1.3
           Version: 1.3.23
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Auth/Access
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: tpalanga@hotmail.com


Hi.
Suppose we have a dedicated web server with 100 (or more) users. We configure 
Apache so it will see every user's web files.
 So we have user x and user y, User x cannot see or read the y's web files or 
other files, but he is smart and somehow finds a mode to break into y's web 
(especially in the case with /home/y/public_html setting --- every user knows 
that user xxyy has an public_html in his home dir, so he exploits it). How ? By 
Apache's rights. Does Apache have the rights to read ALL USERS web files ? YES.
  So x makes a browsing system and he uses Apache's rights to read ALL USERS 
web files for reading y's web files.  So x reads x's config.php (or anything 
else) and he finds out the database user and pass. What next ?
 
  So, I tink it's a bad thing (in fact it's a major security problem) for php 
and Apache to use general rights for every user. Can Apache be configured as an 
user-level multi-user-threaded server or this is a SECURITY BUG ?
  
  I think someone (at least PHP&Apache) cares.
  Best regards
  Tudor Palanga.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org