|
View Full Version : opendir can list all files and directories!!!
ehsan 12-15-2004, 01:57 PM Hi,
As you know the opendir() is a php functions that is used in lots of scripts,
I just found that this function can simply list all files on everywhere on server, even outside the /home directory,
This is an example that lists files in the root directory :
<?
$dir = "/";
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
while (($file = readdir($dh)) !== false) {
print "filename: $file : filetype: " . filetype($dir . $file) . "\n";
}
closedir($dh);
}
}
?>
Also you will have access to everyfile, I think this is not normal, any Idea why this happens?
php runs as cgi (phpsuexec) and the open_basedir is enabled also,
disabling this function in php.ini is not a good idea as lots of scripts will fail running,
Regards,
ehsan 12-16-2004, 04:06 AM I just tested this on some other servers and it worked out!!!
Is this normal?
andreyka 12-16-2004, 07:34 AM When you run phpsuexec the open_basedir doesn't work!
ehsan 12-16-2004, 07:37 AM Originally posted by andreyka
When you run phpsuexec the open_basedir doesn't work!
Thanks for your reply, AnyIdea? As I don't like to disable phpsuexec,
andreyka 12-16-2004, 08:36 AM I reccomend to disable suexec and use openbasedir.
It is faster. And securiy not low.
Also I have solution was can apache work with running each process as user, but not suexec using :)
ehsan 12-16-2004, 09:09 AM Originally posted by andreyka
I reccomend to disable suexec and use openbasedir.
It is faster. And securiy not low.
Also I have solution was can apache work with running each process as user, but not suexec using :)
Thanks again,
I thought that suexec has more security than others, anyways can you tell me more about your solution?
Well even if you do remove phpsuexec and bring in open_base, there are still ways people can view the directories. There comes a point where you sometimes you need to accept these shortcommings on a shared hosting environment with propietary software installed and just work around it as best you can. I'm not to familiar myself with mod_security, but I believe that it might be possible to restrict this sort of activity by tweaking its config.
Also, just because they can navigate to those area's, doesn't nessesarily mean they can read the content of the files or launch x programs. It all depends on your setup however.
ehsan 12-16-2004, 12:10 PM Dear Haze,
Thanks for your reply,
but if you have phpsuexec, as andreyka said, this disables open_basedir so disbaling the phpsuexec and using the open_basedir will solve the problem, also you have to disable some functions in php.ini but you will lose the great feature of suexec, running apache as users,
Is there anyway to run apache as users without phpsuexec?
Thats simply a bandaid solution, like i said. Users can still use perl for instance to browse those areas. You might also want to look into tweaking permissions ( /scripts/enablefileprotect might help here ? ).
ehsan 12-17-2004, 03:36 AM Thanks Haze,
/scripts/enablefileprotect will fix permissions of /home and other files and directories inside it,
I'm still searching for a way to have apache runs as user, not nobody,
Regards,
nexcess.net 12-17-2004, 06:54 AM A simple solution, but not an all encompasing one, is to simply chmod directories you don't want browsed 711. This will stop snoopers from doing dir listings and traversing directories simply by a dir search. This won't break scripts either as few scripts need to traverse /, /etc, /home, /usr, /sbin etc.
Chris
|