php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17911 users can view other user's web files through apache/php rights
Submitted: 2002-06-21 15:49 UTC Modified: 2002-06-21 16:00 UTC
From: tpalanga at hotmail dot com Assigned:
Status: Not a bug Package: Apache related
PHP Version: 4.1.2 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tpalanga at hotmail dot com
New email:
PHP Version: OS:

 

 [2002-06-21 15:49 UTC] tpalanga at hotmail dot com
Hi.
Suppose we have a dedicated web server with 100 (or more) users. We configure Apache so it will see every user's web files.
 So we have user x and user y, User x cannot see or read the y's web files or other files, but he is smart and somehow finds a mode to break into y's web (especially in the case with /home/y/public_html setting --- every user knows that user xxyy has an public_html in his home dir, so he exploits it). How ? By Apache's rights. Does Apache have the rights to read ALL USERS web files ? YES.
  So x makes a browsing system and he uses Apache's rights to read ALL USERS web files for reading y's web files.  So x reads x's config.php (or anything else) and he finds out the database user and pass. What next ?
 
  So, I tink it's a bad thing (in fact it's a major security problem) for php and Apache to use general rights for every user. Can Apache be configured as an user-level multi-user-threaded server or this is a SECURITY BUG ?
  
  I think someone (at least PHP&Apache) cares.
  Best regards
  Tudor Palanga.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-21 16:00 UTC] cynic@php.net
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 16 21:01:29 2024 UTC