Results 1 to 12 of 12
-
09-01-2007, 06:31 PM #1Newbie
- Join Date
- Feb 2007
- Posts
- 26
user can see /etc/passwd. how to stop this
Hello,
We have CentOS and WHM 11 on the server. Also we have PHP 4.4.4 and open base dir enabled on the server . We have a shared server with many website configured on it.
Now The user uses the following PHP code and can see the /etc/passwd file
=============================================
<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
?>
============================================
Now how to stop this. This is a security hole . So please suggest to how to stop this.
Thanks.
its_joe
-
09-01-2007, 06:33 PM #2Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
That's not a security hole.
The /etc/passwd file contains nothing of any real value...RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
09-01-2007, 08:44 PM #3Web Hosting Master
- Join Date
- Jan 2006
- Location
- Athens, Greece
- Posts
- 1,481
The security hole is if passwords are composed from single words
-
09-01-2007, 09:46 PM #4Newbie
- Join Date
- Sep 2007
- Posts
- 9
this is true.
the ability to view the etc/passwd is only useful in certain things.
1. it provides a list of usernames, important for bruting.
2. that same list of usernames, could aid in cross server attacks.
(/home[username]/public_html/)
3. could show who has shells or not. (for bruting)
other than this, its not that important, but I would suggest not worrying about it that much. Usernames can be emulated, or guessed with programs such as nikto.pl
just make sure the ability to brute your ssh is denied, cross server attacks, usually by setting directory permissions of the users directory to something like 711
google has many many hardening tutorials on all your services and server security.
-
09-02-2007, 01:06 AM #5Aspiring Evangelist
- Join Date
- Nov 2005
- Posts
- 352
The fact is that "/etc/passwd" must be world readable, otherwise certain services that drop root privileges when running (e.g., bind, proftpd, apache, etc.) may or may not function properly if they can't match usernames to system UID's.
-
09-02-2007, 01:36 AM #6WHT Addict
- Join Date
- Feb 2006
- Location
- Melbourne, Australia
- Posts
- 141
Correct, it isn't a security hole.
The passwords cannot be decrypted to my knowledge (Don't quote me on that) and dexxtreme stated, the file MUST be world readable, otherwise you WILL find yourself in a heap of trouble.Dymestry Interactive | Australian Co-Location - Dymestry.com
Fully Managed Dedicated Servers And Co-Location (Sydney & Melbourne)
-
09-02-2007, 06:21 AM #7Aspiring Evangelist
- Join Date
- Nov 2005
- Posts
- 352
-
09-02-2007, 06:33 AM #8Greece
- Join Date
- Jan 2004
- Location
- Greece
- Posts
- 2,211
There were OS many years ago that store encrypted passwords inside /etc/passwd. Then system users use john the ripper (don't remember if the name is correct) to try to find the root password
-
09-02-2007, 12:29 PM #9Newbie
- Join Date
- Sep 2007
- Posts
- 9
you dont need to gain root access in all cases.
it all depends on who set up the box.
ive seen the shadow file as user 'nobody'
with jtr, its easy.
you just take the passwd file, the shadow file, and run it thru.
problem is, unless you used a password of something stupid like 'rosebud' or anything else thats in a word list, then your screwed.
either way, this could take a very very long time.
you could tighten your security, by forcing all passwords to be a minimum or 16 chars, require at least 1 uppercase, 1 special char, 1 underscore, etc...
and the most troubling chars for cracking programs, are spaces.
-
09-02-2007, 02:31 PM #10Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
-
09-02-2007, 04:19 PM #11WHT Addict
- Join Date
- Sep 2005
- Posts
- 150
I am not very good at php , but by setting open_basedir value under the vhost in httpd.conf will stop php scripts from accessing files outside of the users home dir.
-
09-02-2007, 11:34 PM #12Web Hosting Master
- Join Date
- Oct 2004
- Location
- Kerala, India
- Posts
- 4,771
One thing you can do is run the php as CGI, so "nobody" user cannot upload and execute php script.
David | www.cliffsupport.com
Affordable Server Management Solutions sales AT cliffsupport DOT com
CliffWebManager | Access WHM from iPhone and Android