php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #17911 users can view other user's web files through apache/php rights
Submitted: 2002-06-21 15:49 UTC Modified: 2002-06-21 16:00 UTC
From: tpalanga at hotmail dot com Assigned:
Status: Not a bug Package: Apache related
PHP Version: 4.1.2 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tpalanga at hotmail dot com
New email:
PHP Version: OS:

 

 [2002-06-21 15:49 UTC] tpalanga at hotmail dot com 
Hi.
Suppose we have a dedicated web server with 100 (or more) users. We configure Apache so it will see every user's web files.
 So we have user x and user y, User x cannot see or read the y's web files or other files, but he is smart and somehow finds a mode to break into y's web (especially in the case with /home/y/public_html setting --- every user knows that user xxyy has an public_html in his home dir, so he exploits it). How ? By Apache's rights. Does Apache have the rights to read ALL USERS web files ? YES.
  So x makes a browsing system and he uses Apache's rights to read ALL USERS web files for reading y's web files.  So x reads x's config.php (or anything else) and he finds out the database user and pass. What next ?
 
  So, I tink it's a bad thing (in fact it's a major security problem) for php and Apache to use general rights for every user. Can Apache be configured as an user-level multi-user-threaded server or this is a SECURITY BUG ?
  
  I think someone (at least PHP&Apache) cares.
  Best regards
  Tudor Palanga.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-21 16:00 UTC] cynic@php.net 
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Mar 13 20:01:30 2025 UTC