Preserved Topic: hacking into webserver

ok, there's a unix-webserver where i can set rights... you know.
ok, there i have my file test.html with the rights:

777 (rwxrwxrwx)

no how can someone modify this file? (delete,edit,...)
it must be possible, because what were rights for otherwise?

and is this also possible with win-servers?

[This message has been edited by me (edited 11-19-2001).]

When you CHMOD 777 your files, everyone who has access to the filesystem can modify them. Now, the brief explanation, the first number represent what permissions have file owner, the second number represent what permissions have users who are in the same group as file owner and the third number represent permissions for everyone else (aka "world"). Numbers which are used are following:

1 - execute
2 - write
4 - read

And in your case:

1+2+4 = 7 (all permissions are set)

But, usually files have 644 permissions...

You can find more information about UNIX file permissions on the internet...

You can set file permission on Windows, but it must run on NTFS partition, FAT file system doesn't support file permssions / different file owners...

yea yea... i know what the rights mean, but now if we have them, how can someone, anyone modify them? (hacking)

[This message has been edited by me (edited 11-19-2001).]

As as I've said anyone who can gain access to the server's filesystem as any user (even as nobody) can modify them (if they are CHMODed 777)...

yes, i know!
my question is: HOW?

[This message has been edited by me (edited 11-19-2001).]

If you want to learn how someone can change them via "hacking" This really isn't the board. But most "hacks" involve getting root access which allows you to change any files permissions/groups etc.



:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

ok, maybe we shouldnt call it hacking.

i have my 777-file there on my webspace. how can i modify it without knowing username/password of the server?
the only thing i know is the path and the filename.

[This message has been edited by me (edited 11-19-2001).]

Ahh. How did you place the file on the server?

Most FTP clients these days allow you to set the permissions of the file.
Outside of that, telnet, or ssh (some sort of access to the filesystem) You don't have many choices (actually any choices).


Could also be done with a perl or PHP script as well.



:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

Well, you can't. Only way to do it is to somehow gain access to server's filesystem and only if you manage to do that you would be able to change that file...

More info about hacking: http://neworder.box.sk/

ok thanks guys.
i was just asking because i need to set some files to 777(or similar) on my webspace due to scripting issues.
so i was afraid that someone could manage to edit/delete these files.

now what about windows-webservers?
im running a php-script there that writes data to a textfile. so i had to give everyone access to this textfile(the directory). could some evil .... (*searching for a better word than hacker*) .... person (?) edit/delete this file without having any other access to the server?

edit: english grammar

[This message has been edited by GRUMBLE (edited 11-26-2001).]

That evil person would also need to gain filesystem access in order to modify it under Windows...

ok, that's what i wanted to know.

summary: no access to files without having access to the filesystems (unix+win)

now i'm not afraid anymore....

thanks for the quick responses and the explanaitions, max and bitdamaged!

[This message has been edited by me (edited 11-19-2001).]

Umm.. you should not need to set the perms of a file handled by the webserver or PHP to 777. Scripts in general run via the browser are run as nobody.nobody or apache.apache (depends on your web server config) BTW (that means user.group)

If the file/ script are only web based that is the only user/group that needs the read write access to the file and noone needs execute permissions. (for a the text file) That's where max said 644
is totally appropriate.

Using 777 is not really recommended. I use it sometimes just to make sure I'm not having a permissions issue but it shouldn't be needed often




:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

Actually, since PHP (in most cases) runs as user nobody (which belongs to the "world"), last bit of file permission should be set to 6 (i.e. 644 won't work, while something like 666 would work)...

"now i'm not afraid anymore.... "

Never say that. Be afraid. Be very very afraid...

why?

you mean i shouldnt trust max's words.

I think it's more along the lines that site security is not simple. You should always look at what you do on the server with some eye towards security.



:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]: