Security leak in Apache

liteonit

Verified User
Joined
Feb 3, 2008
Messages
10
Hello,

I think i've found a security leak in the Apache configuration.
One user reported me that a script called "haxplorer" is using this security leak.
This script works only when using the following link: "http://serverip/~username/script.php". It doesn't work when using: "http://mydomain.com/script.php"

When a user is using this script, it is possible to show other users data. (read/write/delete/upload etc.). You can cd to another user home directory like: /home/otheruser/public_html

I don't have much information about this script. The only thing i know is that it's using the php function "opendir" and "readdir" for reading the directory's.
I can't disable those functions, because they are used by a lot of scripts.

Another thing in this script that worked on a DirectAdmin is shell access (shell access disabled for the user in DirectAdmin). The solve this.... just disable the php function "shell_exec".

I've tried many things to block this script, but nothing seems to help:
-suPHP enabled
-PHP5 CGI enabled
-Apache mod_secure

The whole server is up-to-date. Server OS is CentOS 5

As far I know this works on all DirectAdmin servers i've tried already.
Crew of DirectAdmin can send me an PM if they want this script!
 
This is not a bug in apache, it's more the way how apache/DirectAdmin is configured to use http://ip/~user.

It is true that the php "security" settings like safe mode, open basedir, etc. doesn't work. If you want to disable it:

nano /etc/httpd/conf/extra/httpd-vhosts.conf
Replace:
AliasMatch ^/~([^/]+)(/.*)* "/home/$1/public_html$2"
with:
AliasMatch ^/~([^/]+)(/.*)* "/var/www/html/index.html"
Restart apache

Disadvantage is that users can't use their account until their domein is resolving.
 
We're likely going to be adding an option for admin's to disable ~username alltogether if they want, and just have DA create a default Domain Pointer called:
userdomain.com.yourhostname.com

where userdomain.com is the domain created for the user, and yourhostname.com is any domain you want that already exists and is working on the box. That way the domain can be accessed before userdomain.com resolves.. and the user's virtualhost is used, along with all his settings. The user could then delete the domain pointer afterwards, whenever he wants (since it's just a regular domain pointer)... but wouldn't be able to re-add the domain pointer if this option is enabled: http://www.directadmin.com/features.php?id=925

John
 
John,

The option to disable ~yourusername is a good one, but creating a domain pointer isn't. Nowadays every tld has multiple zone updates a day.. com/net/org/info is realtime, and .nl for example every 2 hours. Why don't you skip the domain pointers and let the customer wait a couple of minutes :) He can already upload his files etc, and wait till it resolves :)
 
Hello,

I'll have to give admins the options to do what they want regardless of what is the "correct" solution.

John
 
"Garbage" domain entry's :)

So when the domain resolves (which could be hours or even a whole day or even more) they can delete the pointer. No big deal. I still don't see a disadvantage.
 
Back
Top