+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: Folder permissions (/thread-9055.html)
Pages: 1 2
Folder permissions - c0urier - 01-02-2010 06:12 PM
Just a little suggestion regarding folder permissions/owner.
Yesterday something sad happened to one of our Customers, he "had" a Webspell site which was targeted by some sort of cross-site scripting which resulted in his page + backup's to be deleted. Everything his virtual user "vu****" owned was gone.
This led me to think, wouldn't it be a good idea to make the backup folder owned by someone else or only give the user read permission to the folder and the files in it, since now with 1.0.3 we have the possibility to chose which backup type users should have.
I don't even know if this would secure the users from issues like cross site scripting and the lose of files.
**PS: No need for info about choosing a more secure CMS system
.
RE: Folder permissions - kilburn - 01-02-2010 08:08 PM
Quote:This led me to think, wouldn't it be a good idea to make the backup folder owned by someone else or only give the user read permission to the folder and the files in it, since now with 1.0.3 we have the possibility to chose which backup type users should have.Root owned backup folder + backup archives with read permission for the user is the way to go IMHO. That said, the original developer of this functionality might have some reason to set permissions as they are, so let's see what other devs think about it...
Quote:I don't even know if this would secure the users from issues like cross site scripting and the lose of files.XSS (Cross-Site Scripting) can not result in file loses. Your website was vulnerable to executable scripts uploading
RE: Folder permissions - c0urier - 01-02-2010 08:23 PM
killburn you are probably right about the last part - But as I've understood it is possible to make a php query that does nasty stuff (Don't hang up on it).
But as goes for the permissions, I don't know - Just posted in suggestions since it's my suggestion. But I can't say if it has other disadvantages than the users themselves not being able to deleted the backup's.
RE: Folder permissions - kilburn - 01-02-2010 08:29 PM
Quote:killburn you are probably right about the last part - But as I've understood it is possible to make a php query that does nasty stuff (Don't hang up on it).
Only if your website is also vulnerable to some sort of script or SQL injection. Otherwise, it can only trigger the execution of admin functions that there may be on the website (which should not include any form of non-webiste uploaded file deletion).
RE: Folder permissions - c0urier - 01-02-2010 08:36 PM
Fair enough, just know everything related to the specific user was gone. Except a file I had moved to his directory with different permissions. Even everything in: /var/www/fcgi/DOMAIN.com/ (php2/php.ini and php5-fcgi-starter) was gone - But db's and mail was still intact. And they are funny enough owned by other users.
RE: Folder permissions - c0urier - 02-05-2010 08:26 AM
Just a little side-node - The attack was not related to Webspell, so I have to say sorry to the developers there - But related to AmxBans 5.1.
Just saw this little awesome mails:
Subject:
Fx29Shell http://xxxx.xxxxxx.com/demos/c99bypass.php by 90.157.8.141
From:
webmaster@xxxxxx.com (virtual-user)
Date:
Thu, 4 Feb 2010 14:28:32 +0100 (CET)
To:
feelcomz@gmail.com
Boss, there was an injected target on xxxx.xxxxxx.com/demos/c99bypass.php by 90.157.8.141
So this happened after I restored and made a clean installation of everything incl. AmxBANS.
I've attached the apache access-log on AmxBans.de's forum, hopefully someone can help me understand how they found and how to prevent this vulnerability (http://www.amxbans.de/viewtopic.php?f=4&t=816).
RE: Folder permissions - kilburn - 02-05-2010 06:59 PM
So this AmxBans stuff has a security vulnerabiliy. You should inspect your apache logs to see who accessed this URL for the first time, and then filter the access logs by this IP. Hopefully, this will show you the URLs that it previously visited, among which the vulnerable script is found.
RE: Folder permissions - c0urier - 02-05-2010 08:12 PM
Hi Kilburn, already did that - Have log's and everything and know who, what and how almost =). Check the link I posted and see the log and scroll a bit down in the log and you'll see.
RE: Folder permissions - kilburn - 02-05-2010 08:19 PM
Looks like a classical SQL injection to get the admin user/pass:
Code:
90.157.8.141 - - [04/Feb/2010:13:54:44 +0100] "GET /code.php HTTP/1.1" 200 190 "http://bans.xxxx-xxxxxx.com/ban_details.php?bid=5100+union+select+1,concat(username,0x3a,password,0x3a,logcode),3,4,5,6+from+amx_webadmins" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)"Followed by the installation of a php_shell through the admin interface:
Code:
90.157.8.141 - - [04/Feb/2010:13:57:08 +0100] "POST /admin/demo.php HTTP/1.1" 200 149 "http://bans.xxxx-xxxxxx.com/admin/demo.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
90.157.8.141 - - [04/Feb/2010:13:57:24 +0100] "GET /demos/wso2_pack.php HTTP/1.1" 200 105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)"... and once he had a php shell uploaded, all sort of nasty things are possible: website completely hacked.
RE: Folder permissions - c0urier - 02-06-2010 09:22 PM
The worst part is the knew about the security bug but did not inform people - That is pretty bad.