possible VPS security issue - help

[wackter]

I am hoping that someone might have some insight into an issue that I came across today while working on one of my clients websites that I am building for him. I was setting up a FileManager and Image uploader to be part of CKEditor for the backend updating of his website - - - when I entered var fileRoot = '/'; in the variable for the directory that I want to display for managing the files on his account, the complete file structure of my VPS ROOT displayed and I was able to traverse through all of the directories seeing and being able to access home (all cPanel accounts), root, usr, lib, etc.

Of course I have no intention of using that path for what I am doing - but this to me is a serious risk as anyone who has accounts on my VPS server could potentially use a similar script and have full access to my VPS root (accidentally or on purpose). Is there some setting that I am missing or need to change in my Apache settings to stop this from happening?

I presumed up until today, that only I can access my VPS Root and only access it with SSH using something like WinSCP or Putty - - - and yet low and behold I have been able to access it completely through a simple filemanager script that I wrote and placed in a cPanel account of one of my hosting clients. Does that make sense? The VPS that I have is unmanaged and the company offers no help when it comes to Apache configuration (if that is my issue) or other server software setup.


Any help appreciated.

 

[cableguy]

you need to make sure apache is running under it's own limited user. you also need suphp so that php is executed under each owner.

 

[wackter]

you need to make sure apache is running under it's own limited user. you also need suphp so that php is executed under each owner.

Thank you for taking the time to reply.

I am running suphp. I'll have to do some searching on the web and see if how to find out if I have apache running under it's own limited user - and if not - - - how to accomplish that.

 

[Marinarn]

MOD NOTE: 3.4 Participants may not post or otherwise transmit promotional materials, or any other form of solicitation, except in those forum sections where advertising is expressly permitted.

http://www.hostingdiscussion.com/rules.php

 

[handsonhosting]

@Marinarn - wrong response. This is someone looking to secure their current server rather than someone looking to purchase a NEW unmanaged server.

@wackter - the file manager program that you were using is possibly using a shell like script to bypass normal system protections. Can you PM me the file script you're using?

If you have suphp loaded on your server, then you should be ok, and this shouldn't be happening. Also, check with your script to see if you're able to WRITE to one of those outside directories, and are able to traverce through the folders. I've seen a lot of VPS machines (and dedicated servers) in operation with hosting companies that expose all client usernames by allowing a simple script to execute.

Verify that the script is not loading into the /tmp folder on your server as if it can load into there, you can read through the server using remote call scripts. Make sure that the /tmp is secured from execution of files.

You may also want to check out somewhere like www.platinumservermanagement.com or similar 3rd party management company who can get in and help diagnose quickly and cheaply. I've worked with that company about 10 years ago and they are still a highly recommended company.

Are you running cPanel on your server, or another control panel?