Closed Thread Icon

Preserved Topic: hacking into webserver (Page 1 of 1) Pages that link to <a href="http://ozoneasylum.com/backlink?for=21013" title="Pages that link to Preserved Topic: hacking into webserver (Page 1 of 1)" rel="nofollow" >Preserved Topic: hacking into webserver <span class="small">(Page 1 of 1)</span>\

 
GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 11-26-2001 21:16

ok, there's a unix-webserver where i can set rights... you know.
ok, there i have my file test.html with the rights:

777 (rwxrwxrwx)

no how can someone modify this file? (delete,edit,...)
it must be possible, because what were rights for otherwise?

and is this also possible with win-servers?

[This message has been edited by me (edited 11-19-2001).]

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 11-26-2001 22:00

When you CHMOD 777 your files, everyone who has access to the filesystem can modify them. Now, the brief explanation, the first number represent what permissions have file owner, the second number represent what permissions have users who are in the same group as file owner and the third number represent permissions for everyone else (aka "world"). Numbers which are used are following:

1 - execute
2 - write
4 - read

And in your case:

1+2+4 = 7 (all permissions are set)

But, usually files have 644 permissions...

You can find more information about UNIX file permissions on the internet...

You can set file permission on Windows, but it must run on NTFS partition, FAT file system doesn't support file permssions / different file owners...


GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 11-26-2001 22:14

yea yea... i know what the rights mean, but now if we have them, how can someone, anyone modify them? (hacking)

[This message has been edited by me (edited 11-19-2001).]

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 11-26-2001 22:18

As as I've said anyone who can gain access to the server's filesystem as any user (even as nobody) can modify them (if they are CHMODed 777)...


GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 11-26-2001 22:19

yes, i know!
my question is: HOW?

[This message has been edited by me (edited 11-19-2001).]

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 11-26-2001 22:20

If you want to learn how someone can change them via "hacking" This really isn't the board. But most "hacks" involve getting root access which allows you to change any files permissions/groups etc.



:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 11-26-2001 22:29

ok, maybe we shouldnt call it hacking.

i have my 777-file there on my webspace. how can i modify it without knowing username/password of the server?
the only thing i know is the path and the filename.

[This message has been edited by me (edited 11-19-2001).]

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 11-26-2001 22:33

Ahh. How did you place the file on the server?

Most FTP clients these days allow you to set the permissions of the file.
Outside of that, telnet, or ssh (some sort of access to the filesystem) You don't have many choices (actually any choices).


Could also be done with a perl or PHP script as well.



:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 11-26-2001 22:35

Well, you can't. Only way to do it is to somehow gain access to server's filesystem and only if you manage to do that you would be able to change that file...

More info about hacking: http://neworder.box.sk/


GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 11-26-2001 22:46

ok thanks guys.
i was just asking because i need to set some files to 777(or similar) on my webspace due to scripting issues.
so i was afraid that someone could manage to edit/delete these files.

now what about windows-webservers?
im running a php-script there that writes data to a textfile. so i had to give everyone access to this textfile(the directory). could some evil .... (*searching for a better word than hacker*) .... person (?) edit/delete this file without having any other access to the server?

edit: english grammar

[This message has been edited by GRUMBLE (edited 11-26-2001).]

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 11-26-2001 22:51

That evil person would also need to gain filesystem access in order to modify it under Windows...


GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 11-26-2001 23:04

ok, that's what i wanted to know.

summary: no access to files without having access to the filesystems (unix+win)

now i'm not afraid anymore....

thanks for the quick responses and the explanaitions, max and bitdamaged!

[This message has been edited by me (edited 11-19-2001).]

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 11-26-2001 23:24

Umm.. you should not need to set the perms of a file handled by the webserver or PHP to 777. Scripts in general run via the browser are run as nobody.nobody or apache.apache (depends on your web server config) BTW (that means user.group)

If the file/ script are only web based that is the only user/group that needs the read write access to the file and noone needs execute permissions. (for a the text file) That's where max said 644
is totally appropriate.

Using 777 is not really recommended. I use it sometimes just to make sure I'm not having a permissions issue but it shouldn't be needed often




:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 11-26-2001 23:32

Actually, since PHP (in most cases) runs as user nobody (which belongs to the "world"), last bit of file permission should be set to 6 (i.e. 644 won't work, while something like 666 would work)...


Pugzly
Paranoid (IV) Inmate

From: 127.0.0.1
Insane since: Apr 2000

posted posted 11-27-2001 01:52

"now i'm not afraid anymore.... "

Never say that. Be afraid. Be very very afraid...

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 11-27-2001 02:32

why?

you mean i shouldnt trust max's words.

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 11-27-2001 02:34

I think it's more along the lines that site security is not simple. You should always look at what you do on the server with some eye towards security.



:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

« BackwardsOnwards »

Show Forum Drop Down Menu