11:16 Vulnerability on a virtual server Infobox | |
| Not so long ago became a client of Infobox, buying their service "virtual hosting". Go straight to the point. Found on this hosting very serious vulnerability, which immediately reported to support. The vulnerability allows a session id, if: 1. The site uses standard tools to support the php sessions. 2. The site is located on the server Infobox to which you have access (ie, where you also have virtual hosting). To quote its dialogue with the TA Infobox: 2010-07-02 14:52:31 MSK Question from: XXX Once again, hello. Php session files are stored in a public folder / home / tmp. Thus, each client host can see the names of all saved sessions, as well as the hosting user, which this session belongs. And as in most cases, the file name session coincides with the session ID, which uses php, you can go on another site under any session on this site, replacing cookie. Successful exploitation of this nesanktsianirovannogo access to foreign sites lacking only connection between the domain names of clients and customer number on the Infobox. This communication easier than ever to find - go to the target site, we get the session id. His evident in cookies. Next, determine which server is Infobox site. If the attacker on the same server is hosting, it can run a script something like this: And find the customer number. And then, following the To learn all of the session. 2010-07-02 15:47:31 MSK You meet leading expert technical support YYY Hello, XXX. Thanks for the info, she transferred to the system administrators. We will let you know our position on this issue. 2010-07-02 15:49:08 MSK You meet a support specialist ZZZ Hello, XXX. The question referred to the system administrators. 2010-07-02 15:56:00 MSK You meet leading expert technical support YYY Hello, XXX. Reply to your message as follows: describes your method certainly works in theory. But too much of any "if". That is, in practice, to use it, no one will turn out. A lot depends on the implementation of the authorization on the site. If you have critical access your session files to anyone - You can hide the settings in php.ini session in their own home directory. 2010-07-02 15:59:34 MSK Question from: XXX Well, it's your business, my business to report =) I do not see anything complex, is to replace / tmp to ~ / tmp in the general file php.ini Tell me then, please, what should I do to override your own settings php.ini? 2010-07-02 16:48:27 MSK You meet a support specialist YYY Hello, XXX. Php.ini file is available at the root of your FTP account. 2010-07-02 16:51:50 MSK Question from: XXX Thanks. Ticket can be closed, but think about it ... especially if such bases: www.russian-domains.ru/ip-addresses/77.221.130.41 in which it is clear which domains correspond aypiadresu ... 07/02/2010 16:53 : 19 MSK You meet leading expert technical support YYY Hello, XXX. Thanks. Ticket can be closed, but think about it ... Especially in the presence of such bases: www.russian-domains.ru/ip-addresses/77.221.130.41 in which can be seen which domains correspond aypiadresu ... Any search engine provides all the sites on IP. There is nothing to worry about. For absolute security, you can order a selection decision, where you can change all the settings yourself. Total Infobox does not want it corrected. In my opinion, this vulnerability simply did cosmic scale. Especially in the presence of such bases: www.russian-domains.ru/ip-addresses/77.221.130.41 which shows a list of domains at this aypiadrese. Another would add that the server where the site is located, you can learn by doing ping% imya_sayta%, and then nslookup% ip_сайта_полученный_после_пинга% So, gentlemen, webmasters, hosting your on the Infobox, simultaneously changing the path to remain session. This can be done by changing the directive to php.ini «session.save_path». File php.ini (at clients Infobox) located in the root directory of the ftp, it is the same user's home directory. UPD 05.07: this article - no way criticism of the company Infobox not claim that I am afraid for the your data. This article - an incentive to think about the security of their data for those who use virtual hosting Infobox. Just think and decide - to hammer on it or figure out what's what. | |
|
| |
| Total comments: 0 | |