PHP :: Bug #17911 :: users can view other user's web files through apache/php rights

Bug #17911	users can view other user's web files through apache/php rights
Submitted:	2002-06-21 15:49 UTC	Modified:	2002-06-21 16:00 UTC
From:	tpalanga at hotmail dot com	Assigned:
Status:	Not a bug	Package:	Apache related
PHP Version:	4.1.2	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2002-06-21 15:49 UTC] tpalanga at hotmail dot com

Hi.
Suppose we have a dedicated web server with 100 (or more) users. We configure Apache so it will see every user's web files.
 So we have user x and user y, User x cannot see or read the y's web files or other files, but he is smart and somehow finds a mode to break into y's web (especially in the case with /home/y/public_html setting --- every user knows that user xxyy has an public_html in his home dir, so he exploits it). How ? By Apache's rights. Does Apache have the rights to read ALL USERS web files ? YES.
  So x makes a browsing system and he uses Apache's rights to read ALL USERS web files for reading y's web files.  So x reads x's config.php (or anything else) and he finds out the database user and pass. What next ?
 
  So, I tink it's a bad thing (in fact it's a major security problem) for php and Apache to use general rights for every user. Can Apache be configured as an user-level multi-user-threaded server or this is a SECURITY BUG ?
  
  I think someone (at least PHP&Apache) cares.
  Best regards
  Tudor Palanga.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-06-21 16:00 UTC] cynic@php.net

Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 26 12:01:30 2024 UTC