4th June 2012, 00:56
|
|
Member
|
|
Join Date: May 2012
Location: Perú
Posts: 85
Thanks: 12
Thanked 0 Times in 0 Posts
|
|
a security hole in my host!
how to lock folders folders? / var/www/clients/client1/web4/web?
|
4th June 2012, 08:30
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,872
Thanks: 689
Thanked 4,182 Times in 3,201 Posts
|
|
1) set php mode to "php-fcgi" in the website settings.
2) Enable the suexec checkbox in the website settings.
3) Add the following line to the custom php.ini settings field of the website:
Code:
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, symlink, wordwrap, url_fopen, phpcredits, escapeshellarg, escapeshellcmd, proc_close, proc_get_status, proc_nice, proc_terminate, virtual, ini_alter, ini_restore, set_include_path, php_ini_scanned_files, memory_get_usage
Btw. Please use the normal font size and color of the forum for your text and no these big red letters.
|
4th June 2012, 23:25
|
|
Member
|
|
Join Date: May 2012
Location: Perú
Posts: 85
Thanks: 12
Thanked 0 Times in 0 Posts
|
|
Quote:
Originally Posted by till
1) set php mode to "php-fcgi" in the website settings.
2) Enable the suexec checkbox in the website settings.
3) Add the following line to the custom php.ini settings field of the website:
Code:
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, symlink, wordwrap, url_fopen, phpcredits, escapeshellarg, escapeshellcmd, proc_close, proc_get_status, proc_nice, proc_terminate, virtual, ini_alter, ini_restore, set_include_path, php_ini_scanned_files, memory_get_usage
Btw. Please use the normal font size and color of the forum for your text and no these big red letters. |
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
5th June 2012, 08:18
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,872
Thanks: 689
Thanked 4,182 Times in 3,201 Posts
|
|
Please use fastcgi and not cgi as I suggested above.
The screenshot does not mean much, it just tells you that you are able to access files inside your website directory which has to be the case if you wnat to run a php script in your site. Try to access files from another website that does not belong to the same client or add a file in /root as root user and then try to access that file to see if the sites are protected or not.
|
5th June 2012, 21:38
|
|
Member
|
|
Join Date: May 2012
Location: Perú
Posts: 85
Thanks: 12
Thanked 0 Times in 0 Posts
|
|
C99Shell in ispconfig
Quote:
Originally Posted by till
Please use fastcgi and not cgi as I suggested above.
The screenshot does not mean much, it just tells you that you are able to access files inside your website directory which has to be the case if you wnat to run a php script in your site. Try to access files from another website that does not belong to the same client or add a file in /root as root user and then try to access that file to see if the sites are protected or not.
|
You can read the files of all clients
I now use fastcgi
how I can fix this hole?
Last edited by loadingjkr; 5th June 2012 at 21:44.
|
5th June 2012, 21:52
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,872
Thanks: 689
Thanked 4,182 Times in 3,201 Posts
|
|
The above screenshot shows some world redable folders and not client files, so this screenshot does not indicate that you can read client files as well. If you want to test that, try to access the web dir of a website of another client and read a file which is owned by the web user of the other site and has 700 or 750 permissions.
Have you set the security level in ispconfig to medium or high under system > server config?
|
6th June 2012, 06:38
|
|
Member
|
|
Join Date: May 2012
Location: Perú
Posts: 85
Thanks: 12
Thanked 0 Times in 0 Posts
|
|
high security level
Since client 1 shows client files 2
I can only read the code, but not edited.
|
6th June 2012, 08:53
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,872
Thanks: 689
Thanked 4,182 Times in 3,201 Posts
|
|
This website must have been created with security level medium and not the level high as the permissions of the "web" folder are 755 and not 710 or you dont use the current ispconfig version. Please create a new website after you set the securoty level to high and after you updated ispconfig to 3.0.4.5, the permissions of the new "web" directory should be 710 then and you can not access it anymore from another site.
Quote:
|
I can only read the code, but not edited.
|
Thats because the default files are world readable as they dont contain any security related code. If you chnage the file permissions to 700 or 750 for a file (you can do this for all new files by changing the default umask of the ftp daemon), then other sites cant read any code inside the files while apache can still execute them.
Beside the Linux permission side layer of security you should check which other exec function is used by the shell that you used to test your server and add this function to the disabled_functions list as well. You can also turn on the php safemode in the custom php.ini field, but safemode is deprecated according to the php developers but it might give you some additional security to turn it on.
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +2. The time now is 01:18.
|
English | 
Deutsch
Recent comments
1 day 1 hour ago
1 day 3 hours ago
1 day 5 hours ago
1 day 6 hours ago
1 day 8 hours ago
1 day 9 hours ago
1 day 10 hours ago
2 days 2 hours ago
2 days 3 hours ago
2 days 7 hours ago