php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17911 users can view other user's web files through apache/php rights
Submitted: 2002-06-21 15:49 UTC Modified: 2002-06-21 16:00 UTC
From: tpalanga at hotmail dot com Assigned:
Status: Not a bug Package: Apache related
PHP Version: 4.1.2 OS: Linux
Private report: No CVE-ID: None
 [2002-06-21 15:49 UTC] tpalanga at hotmail dot com
Hi.
Suppose we have a dedicated web server with 100 (or more) users. We configure Apache so it will see every user's web files.
 So we have user x and user y, User x cannot see or read the y's web files or other files, but he is smart and somehow finds a mode to break into y's web (especially in the case with /home/y/public_html setting --- every user knows that user xxyy has an public_html in his home dir, so he exploits it). How ? By Apache's rights. Does Apache have the rights to read ALL USERS web files ? YES.
  So x makes a browsing system and he uses Apache's rights to read ALL USERS web files for reading y's web files.  So x reads x's config.php (or anything else) and he finds out the database user and pass. What next ?
 
  So, I tink it's a bad thing (in fact it's a major security problem) for php and Apache to use general rights for every user. Can Apache be configured as an user-level multi-user-threaded server or this is a SECURITY BUG ?
  
  I think someone (at least PHP&Apache) cares.
  Best regards
  Tudor Palanga.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-21 16:00 UTC] cynic@php.net
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 17 04:01:31 2024 UTC