I host a very small hosting site that hosts a type of chat software. I give each user a /home/ jailed ftp but they have their own www folder they can upload things to.
One of my users uploaded this php file: http://pastebin.com/YAJW8weh - which seems to be able to save php files and allow him to download them.
Using this I think he was able to access some of my files and one of my php files had my MySQL password in the php, which he then gained access to a database with all my clients passwords.
How can I stop this from happening again? What precautions should I take when giving users their own /home/ directory.
Answer
You want to disable php for the home folder.
When using PHP as an Apache module (default on Ubuntu 10.04), add the following to your Apache configuration
php_admin_value engine Off
You should probably also use Options -ExecCGI and AllowOverride None there for safety. See the official Apache security tips. If your webserver have other kinds of scripts enabled (like mod_perl), be sure to disable them for the home folder too.
No comments:
Post a Comment