How to fix free hosting script’s security problems

Off-topic chat. Post your favorite mod_rewrite jokes here!

How to fix free hosting script’s security problems

Postby eugene2006 » Sat Sep 09, 2006 2:40 pm

XAMPP, WINDOWS2003 VDS, PHP5, APACHE2

Free hosting script creates users in folder
http://pcsny.org/users/%username%

for example: if new user has login=newuser
then his directory is http://pcsny.org/users/newuser/
and http://newuser.pcsny.org


httpd-vhosts.conf looks like this

###################################################
<Directory "C:/aweb/freehosting">
Options Indexes Includes FollowSymLinks ExecCGI
AllowOverride all
Order allow,deny
Allow from all
</Directory>

<VirtualHost *:80>
DocumentRoot "C:/aweb/freehosting"
ServerName pcsny.org
ServerAlias www.pcsny.org
php_admin_value open_basedir "/"

</VirtualHost>

<VirtualHost *:80>
ServerName pcsny.org
ServerAlias *.pcsny.org
VirtualDocumentRoot
php_admin_value open_basedir "C:/aweb/freehosting/users/"

</VirtualHost>


It is working but not secure enough because of this php_admin_value open_basedir "C:/aweb/freehosting/users/"

Bad script can see and fully control anything in folder /users/
I tried to do so php_admin_value open_basedir "C:/aweb/freehosting/users/%1/"
Bad alas it is not so easy as with VirtualDocumentRoot

So I’ve got some questions:
1. How to lock users in their respective folders
2. How to disable user to access his web page through http://pcsny.org/users/%newuser%/ and redirect them to appropriate sub domain (because this way they gain full control over system)?
3. Will .htaccess in user’s folder override all my security efforts to zero? How to prevent this without disabling .htaccess?
eugene2006
 
Posts: 21
Joined: Sat Sep 09, 2006 4:16 am

Postby richardk » Sat Sep 09, 2006 3:51 pm

You really shouldn't offer hosting if you can't make it secure.

3. Will .htaccess in user’s folder override all my security efforts to zero? How to prevent this without disabling .htaccess?

From http://uk2.php.net/manual/en/configuration.changes.php:
php_admin_value name value

Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.


2. How to disable user to access his web page through http://pcsny.org/users/%newuser%/ and redirect them to appropriate sub domain (because this way they gain full control over system)?

A redirect in the main <VirtualHost> block.

1. How to lock users in their respective folders

Try adding a prefix to the user directories, eg. __ (two underscores), because: (From http://uk2.php.net/...#ini.open-basedir.)
The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"



So try this (The below includes the redirect and the prefix):
Code: Select all
<Directory "C:/aweb/freehosting">
  Options Indexes Includes FollowSymLinks ExecCGI
  AllowOverride all
  Order allow,deny
  Allow from all
</Directory>

<VirtualHost *:80>
  DocumentRoot "C:/aweb/freehosting"
  ServerName pcsny.org
  ServerAlias www.pcsny.org

  Options +FollowSymLinks
  RewriteEngine On
  RewriteRule ^/users/([^/]+)(/(.*))?$ http://$1.pcsny.org/$3 [R=301,L]
</VirtualHost>

<VirtualHost *:80>
  ServerName pcsny.org
  ServerAlias *.pcsny.org
  VirtualDocumentRoot "C:/aweb/freehosting/users/__%1"
  php_admin_value open_basedir "C:/aweb/freehosting/users/__"
</VirtualHost>


This is the same topic as before, you didn't need to start a new thread.

Edit: The open_basedir bit won't work.
Edit2: Look here: http://forum.hardened-php.net/viewtopic.php?pid=292 and http://www.apachelounge.com/forum/viewtopic.php?p=3162
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby eugene2006 » Sat Sep 09, 2006 5:16 pm

[Sun Sep 10 02:53:52 2006] [notice] Child 800920: Child process is running
[Sun Sep 10 02:53:52 2006] [notice] Child 800920: Acquired the start mutex.
[Sun Sep 10 02:53:52 2006] [notice] Child 800920: Starting 250 worker threads.
[Sun Sep 10 02:53:52 2006] [notice] Child 800920: Starting thread to listen on port 443.
[Sun Sep 10 02:53:52 2006] [notice] Child 800920: Starting thread to listen on port 80.
[Sun Sep 10 02:53:55 2006] [error] [client 62.141.48.86] File does not exist: C:/aweb/freehosting/users/ass/__
[Sun Sep 10 02:53:56 2006] [error] [client 62.141.48.86] File does not exist: C:/aweb/freehosting/users/ass/__
[Sun Sep 10 02:54:05 2006] [error] [client 62.141.48.86] , referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... admin/menu
[Sun Sep 10 02:54:15 2006] [error] [client 62.141.48.86] , referer: http://www.pcsny.org/cgi-bin/join.cgi?command=manager
[Sun Sep 10 02:54:18 2006] [error] [client 62.141.48.86] File does not exist: C:/aweb/freehosting/users/ass/__, referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... nager/menu
[Sun Sep 10 02:54:26 2006] [error] [client 62.141.48.86] File does not exist: C:/aweb/freehosting/users/ass/__, referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... /directory
[Sun Sep 10 02:54:56 2006] [error] [client 62.141.48.86] File does not exist: C:/aweb/freehosting/users/ass/__, referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... /directory
[Sun Sep 10 02:54:57 2006] [error] [client 62.141.48.86] File does not exist: C:/aweb/freehosting/users/ass/__, referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... /directory
[Sun Sep 10 02:54:59 2006] [notice] Parent: Received shutdown signal -- Shutting down the server.
[Sun Sep 10 02:54:59 2006] [notice] Child 800920: Exit event signaled. Child process is ending.
[Sun Sep 10 02:55:00 2006] [notice] Child 800920: Released the start mutex
[Sun Sep 10 02:55:01 2006] [notice] Child 800920: Waiting for 250 worker threads to exit.
[Sun Sep 10 02:55:05 2006] [notice] Child 800920: All worker threads have exited.
[Sun Sep 10 02:55:05 2006] [notice] Child 800920: Child process is exiting
[Sun Sep 10 02:55:05 2006] [notice] Parent: Child process exited successfully.
[Sun Sep 10 02:55:09 2006] [notice] Apache/2.2.2 (Win32) DAV/2 mod_ssl/2.2.2 OpenSSL/0.9.8b mod_autoindex_color PHP/5.1.4 configured -- resuming normal operations
[Sun Sep 10 02:55:09 2006] [notice] Server built: May 9 2006 14:08:48
[Sun Sep 10 02:55:09 2006] [notice] Parent: Created child process 584184
[Sun Sep 10 02:55:11 2006] [notice] Child 584184: Child process is running
[Sun Sep 10 02:55:11 2006] [notice] Child 584184: Acquired the start mutex.
[Sun Sep 10 02:55:11 2006] [notice] Child 584184: Starting 250 worker threads.
[Sun Sep 10 02:55:11 2006] [notice] Child 584184: Starting thread to listen on port 443.
[Sun Sep 10 02:55:11 2006] [notice] Child 584184: Starting thread to listen on port 80.
[Sun Sep 10 02:55:33 2006] [error] [client 62.141.48.86] , referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... files/left
[Sun Sep 10 02:55:52 2006] [error] [client 62.141.48.86] , referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... ager/files
[Sun Sep 10 02:55:52 2006] [error] [client 62.141.48.86] , referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... ager/files
[Sun Sep 10 02:55:53 2006] [error] [client 62.141.48.86] , referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... ager/files
[Sun Sep 10 02:55:53 2006] [error] [client 62.141.48.86] , referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... ager/files
[Sun Sep 10 02:55:53 2006] [error] [client 62.141.48.86] , referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... ager/files
[Sun Sep 10 02:55:54 2006] [error] [client 62.141.48.86] , referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... ager/files
[Sun Sep 10 02:55:56 2006] [error] [client 62.141.48.86] File does not exist: C:/aweb/freehosting/users/ass/__, referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... nager/menu
[Sun Sep 10 02:55:58 2006] [error] [client 62.141.48.86] File does not exist: C:/aweb/freehosting/users/ass/__, referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... nager/menu
[Sun Sep 10 02:56:02 2006] [error] [client 62.141.48.86] File does not exist: C:/aweb/freehosting/users/ass/__, referer: http://www.pcsny.org/cgi-bin/join.cgi?c ... /directory

strange it give errors, what could it be?
eugene2006
 
Posts: 21
Joined: Sat Sep 09, 2006 4:16 am

Postby richardk » Sun Sep 10, 2006 6:06 am

I have no idea. This is far beyond a mod_rewrite question and i don't know tha answer.

You don't need the directory prefix now, so you should be using this:
Code: Select all
<Directory "C:/aweb/freehosting">
  Options Indexes Includes FollowSymLinks ExecCGI
  AllowOverride all
  Order allow,deny
  Allow from all
</Directory>

<VirtualHost *:80>
  DocumentRoot "C:/aweb/freehosting"
  ServerName pcsny.org
  ServerAlias www.pcsny.org

  Options +FollowSymLinks
  RewriteEngine On
  RewriteRule ^/users/([^/]+)(/(.*))?$ http://$1.pcsny.org/$3 [R=301,L]
</VirtualHost>

<VirtualHost *:80>
  ServerName pcsny.org
  ServerAlias *.pcsny.org
  VirtualDocumentRoot "C:/aweb/freehosting/users/%1/"
</VirtualHost>
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby eugene2006 » Sun Sep 10, 2006 6:24 am

but then user from folder /users/baduser/
can fully control other users in /users/ folder
eugene2006
 
Posts: 21
Joined: Sat Sep 09, 2006 4:16 am

Postby richardk » Sun Sep 10, 2006 7:10 am

The prefix didn't stop that either. You'll have to find some other way of doing it.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby eugene2006 » Sun Sep 10, 2006 7:16 am

like what?
eugene2006
 
Posts: 21
Joined: Sat Sep 09, 2006 4:16 am

Postby richardk » Sun Sep 10, 2006 7:56 am

I don't know. Search the web. Ask in a forum about web hosting. Ask in a forum about PHP. Ask a windows hosting company.

This is just a forum about mod_rewrite.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby eugene2006 » Sun Sep 10, 2006 8:25 am

thanks!
eugene2006
 
Posts: 21
Joined: Sat Sep 09, 2006 4:16 am


Return to Almost Anything Goes

Who is online

Users browsing this forum: No registered users and 4 guests

cron