CI Host Bad Security - Opinions Please
I bought hosting with www.cihost.com (whether they are good/bad is not the point of this post, please read on).
On my server, every user has a directory where all his web page stuff is stored (naturally). All of these directories are under /www. So for user "blah" his stuff is stored at /www/blah.
All of the /www/whatever directories are owned by the user and a group that contains only that user. These directories are rwx for the owner, execute for the group, and execute for the world. They do not allow you to change directory/file user/group owners.
Apache runs as user "nobody".
From this immediately rises a huge problem.
Hypothetical situation:
User fred has a script called database.php under /www/fred. This script connects to a mysql database and displays some output to the Internet. To do this, this script must contain fred's mysql username and password along with the php code.
database.php must be world readable so that apache, running as user nobody, can read it.
Now along comes user joe. Joe has his own directory under /www/joe. However, /www is world readable, so he does an ls of /www. Joe sees fred's directory. Now he can't ls /www/fred because there are no world read permissions for /www/fred. However, he can do something like "cat /www/fred/database.php" (the world execute permission allows this) and then read Fred's file.
Now Joe knows Fred's mysql username and password. He can proceed to go to town on fred's database.
Why is CI Host being so retarded? What am I missing?
- Xizor
