Re: Directories Being Probed Even When Index Listing Denied

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

You miss understand. A user with ftp access only to a single virtual host can upload a PHP shell to there web space. The PHP shell allows them to login with a made up password they make. Once logged in to the PHP shell they are no longer restricted by there FTP login permissions due to the fact that a PHP shell runs under the www-data account. The fact that they have now hijacked the www-data account using the uploaded PHP shell allows them to see the other virtual hosts  PHP scripts. And even the root directory on the server if the www-data account is not jailed. if it is jailed they are restricted to seeing all virtual hosts on the server. jailed or not jailed you can view your neighborer PHP Code and steel it.

How would one go about preventing this kind of attack while using virtual hosts and PHP?

----- Original Message -----
From: "Jeroen Geilman" <jeroen@xxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Sent: Tuesday, March 29, 2011 2:16:56 PM
Subject: Re: Directories Being Probed Even When Index Listing Denied

On 03/21/2011 03:28 AM, aaronrus@xxxxxxxxxxx wrote:
If a PHP Shell can be uploaded. http://phpshell.sourceforge.net/ Then any thing www-data can do so can the shell user, As stated in my post about virtual hosts seeing each others document roots.

If you post the root password on your website, then anybody can bring the machine down.
It's not very useful to do so, however.


----- Original Message -----
From: "ASAI" <asai@xxxxxxxxxxxxxxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Sent: Saturday, March 19, 2011 6:09:51 PM
Subject: Directories Being Probed Even When Index Listing Denied

Greetings,

I am hosting a domain with no website which is a gateway for several
applications.  Directory indexes are turned off, however I noticed in
the logs today that one the directories which has no reference to the
outside world was probed.  Is it possible that one can get the directory
listing of a host even when index listing is turned off through some
other agency?

How do I guard against things like this?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



-- 
J.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux