You miss understand. A user with ftp access only to a single virtual host can upload a PHP shell to there web space. The PHP shell allows them to login with a made up password they make. Once logged in to the PHP shell they are no longer restricted by there FTP login permissions due to the fact that a PHP shell runs under the www-data account. The fact that they have now hijacked the www-data account using the uploaded PHP shell allows them to see the other virtual hosts PHP scripts. And even the root directory on the server if the www-data account is not jailed. if it is jailed they are restricted to seeing all virtual hosts on the server. jailed or not jailed you can view your neighborer PHP Code and steel it.
How would one go about preventing this kind of attack while using virtual hosts and PHP? ----- Original Message ----- From: "Jeroen Geilman" <[email protected]> To: [email protected] Sent: Tuesday, March 29, 2011 2:16:56 PM Subject: Re: [users@httpd] Directories Being Probed Even When Index Listing Denied On 03/21/2011 03:28 AM, [email protected] wrote: If a PHP Shell can be uploaded. http://phpshell.sourceforge.net/ Then any thing www-data can do so can the shell user, As stated in my post about virtual hosts seeing each others document roots. If you post the root password on your website, then anybody can bring the machine down. It's not very useful to do so, however. ----- Original Message ----- From: "ASAI" <[email protected]> To: [email protected] Sent: Saturday, March 19, 2011 6:09:51 PM Subject: [users@httpd] Directories Being Probed Even When Index Listing Denied Greetings, I am hosting a domain with no website which is a gateway for several applications. Directory indexes are turned off, however I noticed in the logs today that one the directories which has no reference to the outside world was probed. Is it possible that one can get the directory listing of a host even when index listing is turned off through some other agency? How do I guard against things like this? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [email protected] " from the digest: [email protected] For additional commands, e-mail: [email protected] -- J.
