Current time: 11-15-2024, 03:51 AM Hello There, Guest! (LoginRegister)


Post Reply 
Folder permissions
Author Message
c0urier Offline
Junior Member
*

Posts: 89
Joined: Jun 2007
Reputation: 1
Post: #1
Folder permissions
Just a little suggestion regarding folder permissions/owner.

Yesterday something sad happened to one of our Customers, he "had" a Webspell site which was targeted by some sort of cross-site scripting which resulted in his page + backup's to be deleted. Everything his virtual user "vu****" owned was gone.
This led me to think, wouldn't it be a good idea to make the backup folder owned by someone else or only give the user read permission to the folder and the files in it, since now with 1.0.3 we have the possibility to chose which backup type users should have.

I don't even know if this would secure the users from issues like cross site scripting and the lose of files.

**PS: No need for info about choosing a more secure CMS system Wink.
(This post was last modified: 01-02-2010 06:12 PM by c0urier.)
01-02-2010 06:12 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #2
RE: Folder permissions
Quote:This led me to think, wouldn't it be a good idea to make the backup folder owned by someone else or only give the user read permission to the folder and the files in it, since now with 1.0.3 we have the possibility to chose which backup type users should have.
Root owned backup folder + backup archives with read permission for the user is the way to go IMHO. That said, the original developer of this functionality might have some reason to set permissions as they are, so let's see what other devs think about it...

Quote:I don't even know if this would secure the users from issues like cross site scripting and the lose of files.
XSS (Cross-Site Scripting) can not result in file loses. Your website was vulnerable to executable scripts uploading Tongue
01-02-2010 08:08 PM
Visit this user's website Find all posts by this user Quote this message in a reply
c0urier Offline
Junior Member
*

Posts: 89
Joined: Jun 2007
Reputation: 1
Post: #3
RE: Folder permissions
killburn you are probably right about the last part - But as I've understood it is possible to make a php query that does nasty stuff (Don't hang up on it).

But as goes for the permissions, I don't know - Just posted in suggestions since it's my suggestion. But I can't say if it has other disadvantages than the users themselves not being able to deleted the backup's.
01-02-2010 08:23 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #4
RE: Folder permissions
Quote:killburn you are probably right about the last part - But as I've understood it is possible to make a php query that does nasty stuff (Don't hang up on it).

Only if your website is also vulnerable to some sort of script or SQL injection. Otherwise, it can only trigger the execution of admin functions that there may be on the website (which should not include any form of non-webiste uploaded file deletion).
01-02-2010 08:29 PM
Visit this user's website Find all posts by this user Quote this message in a reply
c0urier Offline
Junior Member
*

Posts: 89
Joined: Jun 2007
Reputation: 1
Post: #5
RE: Folder permissions
Fair enough, just know everything related to the specific user was gone. Except a file I had moved to his directory with different permissions. Even everything in: /var/www/fcgi/DOMAIN.com/ (php2/php.ini and php5-fcgi-starter) was gone - But db's and mail was still intact. And they are funny enough owned by other users.
01-02-2010 08:36 PM
Visit this user's website Find all posts by this user Quote this message in a reply
c0urier Offline
Junior Member
*

Posts: 89
Joined: Jun 2007
Reputation: 1
Post: #6
RE: Folder permissions
Just a little side-node - The attack was not related to Webspell, so I have to say sorry to the developers there - But related to AmxBans 5.1.

Just saw this little awesome mails:
Subject:
Fx29Shell http://xxxx.xxxxxx.com/demos/c99bypass.php by 90.157.8.141
From:
webmaster@xxxxxx.com (virtual-user)
Date:
Thu, 4 Feb 2010 14:28:32 +0100 (CET)
To:
feelcomz@gmail.com

Boss, there was an injected target on xxxx.xxxxxx.com/demos/c99bypass.php by 90.157.8.141

So this happened after I restored and made a clean installation of everything incl. AmxBANS.

I've attached the apache access-log on AmxBans.de's forum, hopefully someone can help me understand how they found and how to prevent this vulnerability (http://www.amxbans.de/viewtopic.php?f=4&t=816).
(This post was last modified: 02-05-2010 11:52 AM by c0urier.)
02-05-2010 08:26 AM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #7
RE: Folder permissions
So this AmxBans stuff has a security vulnerabiliy. You should inspect your apache logs to see who accessed this URL for the first time, and then filter the access logs by this IP. Hopefully, this will show you the URLs that it previously visited, among which the vulnerable script is found.
02-05-2010 06:59 PM
Visit this user's website Find all posts by this user Quote this message in a reply
c0urier Offline
Junior Member
*

Posts: 89
Joined: Jun 2007
Reputation: 1
Post: #8
RE: Folder permissions
Hi Kilburn, already did that - Have log's and everything and know who, what and how almost =). Check the link I posted and see the log and scroll a bit down in the log and you'll see.
02-05-2010 08:12 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #9
RE: Folder permissions
Looks like a classical SQL injection to get the admin user/pass:
Code:
90.157.8.141 - - [04/Feb/2010:13:54:44 +0100] "GET /code.php HTTP/1.1" 200 190 "http://bans.xxxx-xxxxxx.com/ban_details.php?bid=5100+union+select+1,concat(username,0x3a,password,0x3a,logco​de),3,4,5,6+from+amx_webadmins" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)"

Followed by the installation of a php_shell through the admin interface:
Code:
90.157.8.141 - - [04/Feb/2010:13:57:08 +0100] "POST /admin/demo.php HTTP/1.1" 200 149 "http://bans.xxxx-xxxxxx.com/admin/demo.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.2.15 Version/10.10"
90.157.8.141 - - [04/Feb/2010:13:57:24 +0100] "GET /demos/wso2_pack.php HTTP/1.1" 200 105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)"

... and once he had a php shell uploaded, all sort of nasty things are possible: website completely hacked.
02-05-2010 08:19 PM
Visit this user's website Find all posts by this user Quote this message in a reply
c0urier Offline
Junior Member
*

Posts: 89
Joined: Jun 2007
Reputation: 1
Post: #10
RE: Folder permissions
The worst part is the knew about the security bug but did not inform people - That is pretty bad.
02-06-2010 09:22 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 3 Guest(s)