Page 1 of 1

How do I prevent uploaded file to allow browsing of server?

Posted: Sun Jun 05, 2005 4:02 pm
by heiatufte
Hi there!

My server is used as a "Free webhotel", so people can register and publish their own sites, php and mysql supported. It used to run on a win xp machine :oops:.

Recently, someone uploaded a PHP script which allowed them to browse the whole server. They could also see my own site files, and eventually someone would have found the file that connects to my mysql database, and see my password.

I had to shut the site down. (The logs showed that they hadn't found the password yet though).

I eventually found out that switching to linux would be more secure. Starting from NO experience at all, I installed Fedora Core 3 and Gnome.

Now, after alot of configuring and compiling, it finally works, but to my surprise, the user could still browse the server!

I turned safe_mode and safe_mode_gid in php.ini off. No result.
Setting open_basedir to something limit would prevent include() and other functions I need to work.

Here's the script: http://home.no.net/rht87/dirtable.txt
(If it doesn't work on your server, try adding "?showdir=/<folder name>/" to the end of the URL, or "?showdir=C:\<folder name>" if windows.)

Some folders are hidden, but if the user knows it's there, it can be manually inserted into $showdir=(...). That applies to files also, $showfile=(...).

I can't reopen my site if I can't fix this problem! :cry: Does anyone know any way I can prevent this kind of file browsing? I know it's possible. And I'm open for most suggestions :D

BR/HeiaTufte

Posted: Sun Jun 05, 2005 4:11 pm
by timvw
You need to read your webserver documentation...

And make sure that the files are uploaded or not allowed to be interpreted..

For example, make an .htaccess in the upload dir

Code: Select all

<Files ~ &quote;\.php$&quote;>
   Order allow,deny
   Deny from all
</Files>

Posted: Sun Jun 05, 2005 4:28 pm
by heiatufte
I want them to be interpreted, I just don't want them to be able to browse the rest of my disk.
I doubt people would be very interested in my webhotel if I don't allow them to run their own files ;)
How did you know I'm using Apache? Did you just assume? :P
I wouldn't be asking here if I didn't RTFM (well, just those parts where it's most likely to be) anyway :)

Posted: Sun Jun 05, 2005 4:31 pm
by timvw
Because your scripts are executed by your webserver you have to make sure your webserver is not allowed to list those directories... or access those files...

I think it's easier to configure suPHP or suEXEC for the upload directory, and make sure all files in that directory are executed under a even more restricted user..

Posted: Sun Jun 05, 2005 8:01 pm
by heiatufte
Thanks!

I downloaded suPHP, and made it work (never tried/heard of before though).
The malicious script has some problems downloading files that doesn't have read permissions for "others" now! But so has apache.
Opening an html document which doesn't have read permissions for others than "root" will give an 403 Forbidden error.

My apache program is self-compiled, so I don't have a user for it. The user "apache" belongs to the pre-compiled apache installation that came with FC3. I don't think I have apxs with that one though, so suPHP wouldn't work.

Anyway, how can I now add a user in a way so that all files can be read via the http daemon, while PHP can't see any? And, is it safe to give the whole disk only root access? How do I do that, anyway? Or perhaps you have a better suggestion.

As you probably can see, I'm not that experienced :oops: but I'm learning ;)