Webhacking and Security

Some tricks dangerous for web hosting.

I’ll just list some things I know that can be dangerous for web hosting.

1. You’ve activated open_basedir but didn’t disabled system() & co functions.

Everybody know about the open_basedir, that php function that blocks you into one directory. With system functions it becomes really simple to bypass this security, you should be aware of this. For exemple, if you have an open_basedir in “/var/user1/public_html/”, with a system(“cd ../;ls”); php file inside that folder you can list what you shouldn’t be able to see if your user is able to.

2. Activate system() & co functions, but put a different user for every folder so they can’t move.

It worked only one time for me but It should be an interesting thing to know. Some times, web hosting put different user for earch folder in /home for example: “/home/user2/public_html/” has user2 for user, “/home/user123/public_html/” has user123, etc etc.. Now, don’t forget about the /tmp folder that is accessible most of the time. You put a file into that /tmp folder that will bind a port at the server that will lead to a shell/ssh access and execute it. You’re now inside /tmp, you don’t have your old rights anymore.

3. /tmp accessible and sessions of everybody readable.

In a past case, I got a php shell access to a server that host websites, but I couldn’t change my directory to see the one I looked for. I searched for the admin access that was on the same server. Now what I’ve done is simply to check the /tmp folder with a bot and look for every sessions, picked up one, and I made a cookie of that session and got access to the admin of another website.

Finally:

– Never let your web hosted user use system() & co functions. (They generally don’t need it.)
– Be aware of local root exploits and update your systems.
– Put open_basedir for every user, or a similar system.
– Don’t let people read other sessions.
And of course the general: “Firewall, change your ssh port or filter by ip, etc…”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s