You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ASAI <as...@globalchangemusic.org> on 2011/03/19 23:09:51 UTC
[users@httpd] Directories Being Probed Even When Index Listing Denied
Greetings,
I am hosting a domain with no website which is a gateway for several
applications. Directory indexes are turned off, however I noticed in
the logs today that one the directories which has no reference to the
outside world was probed. Is it possible that one can get the directory
listing of a host even when index listing is turned off through some
other agency?
How do I guard against things like this?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Directories Being Probed Even When Index Listing
Denied
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 03/19/2011 11:09 PM, ASAI wrote:
> Greetings,
>
> I am hosting a domain with no website which is a gateway for several
> applications. Directory indexes are turned off, however I noticed in
> the logs today that one the directories which has no reference to the
> outside world was probed. Is it possible that one can get the
> directory listing of a host even when index listing is turned off
> through some other agency?
>
> How do I guard against things like this?
You'd have to provide sufficient proof that that is what is happening.
Apache does not log whether a directory listing was retrieved, or a
normal file - so how do you KNOW this ?
--
J.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Directories Being Probed Even When Index Listing Denied
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Wed, Mar 30, 2011 at 7:35 AM, Mark Montague <ma...@catseye.org> wrote:
> Next, configure Apache to execute the PHP for each virtual host as user
> unique to that virtual host (and different from the user who owns the files
> for that virtual host). There are several ways to do this, including
> suEXEC, FastCGI, and reverse proxies. For more information, see
> http://wiki.apache.org/httpd/PrivilegeSeparation
>
I use the (experimental) ITK MPM (http://mpm-itk.sesse.net/).
It allows you to specify the user that a particular vhost is running as.
I recommend that option (as does linode <
http://library.linode.com/web-servers/apache/installation/ubuntu-10.10-maverick#multi_processing_module
> ).
- Yehuda
Re: [users@httpd] Directories Being Probed Even When Index Listing
Denied
Posted by Mark Montague <ma...@catseye.org>.
> You miss understand. A user with ftp access only to a single virtual
> host can upload a PHP shell to there web space. The PHP shell allows
> them to login with a made up password they make. Once logged in to the
> PHP shell they are no longer restricted by there FTP login permissions
> due to the fact that a PHP shell runs under the www-data account. The
> fact that they have now hijacked the www-data account using the
> uploaded PHP shell allows them to see the other virtual hosts PHP
> scripts. And even the root directory on the server if the www-data
> account is not jailed. if it is jailed they are restricted to seeing
> all virtual hosts on the server. jailed or not jailed you can view
> your neighborer PHP Code and steel it.
>
> How would one go about preventing this kind of attack while using
> virtual hosts and PHP.
First, have the files for each virtual host owned by different users.
This will prevent someone who comes in via FTP from being able to
access files belonging to other virtual hosts. (By the way, you really
should not use FTP since it is insecure; switch to SFTP instead).
Next, configure Apache to execute the PHP for each virtual host as user
unique to that virtual host (and different from the user who owns the
files for that virtual host). There are several ways to do this,
including suEXEC, FastCGI, and reverse proxies. For more information,
see http://wiki.apache.org/httpd/PrivilegeSeparation
--
Mark Montague
mark@catseye.org
Re: [users@httpd] Directories Being Probed Even When Index Listing
Denied
Posted by aa...@comcast.net.
You miss understand. A user with ftp access only to a single virtual host can upload a PHP shell to there web space. The PHP shell allows them to login with a made up password they make. Once logged in to the PHP shell they are no longer restricted by there FTP login permissions due to the fact that a PHP shell runs under the www-data account. The fact that they have now hijacked the www-data account using the uploaded PHP shell allows them to see the other virtual hosts PHP scripts. And even the root directory on the server if the www-data account is not jailed. if it is jailed they are restricted to seeing all virtual hosts on the server. jailed or not jailed you can view your neighborer PHP Code and steel it.
How would one go about preventing this kind of attack while using virtual hosts and PHP?
----- Original Message -----
From: "Jeroen Geilman" <je...@adaptr.nl>
To: users@httpd.apache.org
Sent: Tuesday, March 29, 2011 2:16:56 PM
Subject: Re: [users@httpd] Directories Being Probed Even When Index Listing Denied
On 03/21/2011 03:28 AM, aaronrus@comcast.net wrote:
If a PHP Shell can be uploaded. http://phpshell.sourceforge.net/ Then any thing www-data can do so can the shell user, As stated in my post about virtual hosts seeing each others document roots.
If you post the root password on your website, then anybody can bring the machine down.
It's not very useful to do so, however.
----- Original Message -----
From: "ASAI" <as...@globalchangemusic.org>
To: users@httpd.apache.org
Sent: Saturday, March 19, 2011 6:09:51 PM
Subject: [users@httpd] Directories Being Probed Even When Index Listing Denied
Greetings,
I am hosting a domain with no website which is a gateway for several
applications. Directory indexes are turned off, however I noticed in
the logs today that one the directories which has no reference to the
outside world was probed. Is it possible that one can get the directory
listing of a host even when index listing is turned off through some
other agency?
How do I guard against things like this?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
--
J.
Re: [users@httpd] Directories Being Probed Even When Index Listing
Denied
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 03/21/2011 03:28 AM, aaronrus@comcast.net wrote:
> If a PHP Shell can be uploaded. http://phpshell.sourceforge.net/ Then
> any thing www-data can do so can the shell user, As stated in my post
> about virtual hosts seeing each others document roots.
>
If you post the root password on your website, then anybody can bring
the machine down.
It's not very useful to do so, however.
>
> ----- Original Message -----
> From: "ASAI" <as...@globalchangemusic.org>
> To: users@httpd.apache.org
> Sent: Saturday, March 19, 2011 6:09:51 PM
> Subject: [users@httpd] Directories Being Probed Even When Index
> Listing Denied
>
> Greetings,
>
> I am hosting a domain with no website which is a gateway for several
> applications. Directory indexes are turned off, however I noticed in
> the logs today that one the directories which has no reference to the
> outside world was probed. Is it possible that one can get the directory
> listing of a host even when index listing is turned off through some
> other agency?
>
> How do I guard against things like this?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
J.
Re: [users@httpd] Directories Being Probed Even When Index Listing
Denied
Posted by aa...@comcast.net.
If a PHP Shell can be uploaded. http://phpshell.sourceforge.net/ Then any thing www-data can do so can the shell user, As stated in my post about virtual hosts seeing each others document roots.
----- Original Message -----
From: "ASAI" <as...@globalchangemusic.org>
To: users@httpd.apache.org
Sent: Saturday, March 19, 2011 6:09:51 PM
Subject: [users@httpd] Directories Being Probed Even When Index Listing Denied
Greetings,
I am hosting a domain with no website which is a gateway for several
applications. Directory indexes are turned off, however I noticed in
the logs today that one the directories which has no reference to the
outside world was probed. Is it possible that one can get the directory
listing of a host even when index listing is turned off through some
other agency?
How do I guard against things like this?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org