Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 15th June 2008, 15:46
freesqrt freesqrt is offline
Member
 
Join Date: Dec 2007
Posts: 82
Thanks: 7
Thanked 1 Time in 1 Post
Default A big security issue in FTP server

Hi,

We have installed ISPconfig to manage web, mail, ftp and dns severs.
But when I create mail/ftp accounts in it, users can upload any type of files (and also php codes) and run them. by this, user can for example get source code of our website or see the content of other folders. (however users can not change other user's folder contents.)
permission of users folder is 755.

what we can do with this issue?

regards,
__________________
freesqrt
Reply With Quote
Sponsored Links
  #2  
Old 15th June 2008, 23:42
Rockdrala Rockdrala is offline
Senior Member
 
Join Date: Dec 2007
Posts: 140
Thanks: 7
Thanked 2 Times in 2 Posts
Default

To be honest if i was a customer and i wanted to upload php websites i would be pissed if i wasnt able to.

Im sure they can upload whatever file they if using direct ftp access but only the admin of the site is entitled to do that.

If your using a page where the websites users are uploading files, you can modify the upload script to only allow what type of file to be permissable.

afaik (i could be wrong) but i don't think multiple users have ftp access. i could be wrong. Just the admin of the website does.
Reply With Quote
  #3  
Old 16th June 2008, 02:04
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

You could chroot your users so that they cannot get outside their home dir. Dont know your Dist. but you could try something like this http://www.howtoforge.com/chroot_ssh_sftp_debian_etch
Reply With Quote
  #4  
Old 16th June 2008, 14:11
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

You can use PHP Safe Mode. That way, PHP scripts cannot read the contents of files/directories outside the document root.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 17th June 2008, 05:22
freesqrt freesqrt is offline
Member
 
Join Date: Dec 2007
Posts: 82
Thanks: 7
Thanked 1 Time in 1 Post
Default

Dear Falko,

because of our main web structure, I can not enable PHP safe mode. because in that way I have to give some folders permissions that is more dangerous than now.

EDIT:
As Daveb advised, I think it is a good idea to chroot user's folders. but if I do this, can users access to their database if needed?
__________________
freesqrt

Last edited by freesqrt; 17th June 2008 at 07:04.
Reply With Quote
  #6  
Old 17th June 2008, 12:34
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,771
Thanks: 821
Thanked 5,331 Times in 4,183 Posts
Default

Chrooting works just for ssh, it has no affect on php scripts and will not help you in this regard. The only way to separate php scripts is to use safemode or suphp.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 17th June 2008, 13:13
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Quote:
Originally Posted by freesqrt View Post
Dear Falko,

because of our main web structure, I can not enable PHP safe mode. because in that way I have to give some folders permissions that is more dangerous than now.

EDIT:
As Daveb advised, I think it is a good idea to chroot user's folders. but if I do this, can users access to their database if needed?
But for this you have open_basedir, to restrict to not access files outside there defined paths.
Reply With Quote
  #8  
Old 21st June 2008, 11:55
freesqrt freesqrt is offline
Member
 
Join Date: Dec 2007
Posts: 82
Thanks: 7
Thanked 1 Time in 1 Post
Default

Dear friends,

All of these solutions are great but are unsuitable for me because:

1- suphp limits php execution by code owner however all of users's directory owned by apache.

2- open_basedir limits based on directory. for example you can limit php execution to /home/web1/web address. But I want each user can execute its code into its directory only.

By the way, what is your idea about Suhosin?
I have not any idea on it.

with regards,
__________________
freesqrt
Reply With Quote
  #9  
Old 22nd June 2008, 13:45
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
 
Default

Quote:
Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.
It's no solution for your problem.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
just dl'd + installed ubuntu 8 server... concerned about recent ssh security issue zskillz Installation/Configuration 4 27th December 2009 15:22
The Perfect Setup - Debian Etch (Debian 4.0) some trouble daniel80 HOWTO-Related Questions 26 1st February 2008 16:30
Public and private network + High Availability Apache Cluster teleted HOWTO-Related Questions 11 28th January 2008 14:29
Rejecting outbound mail tristanlee85 General 11 20th May 2007 17:04
FTP 101 the basics koegies Installation/Configuration 7 17th November 2005 15:55


All times are GMT +2. The time now is 06:02.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.