Users shouldn't be able to list other websites mysql users [LOGGED]

Zoinkies

I had a similar find with the Enhance API, regardless of orgId & websiteId sent to /domains and similar endpoints , you can list other Enhance users data. Enhance doesn’t check if a orgId owns a websiteId at all on some endpoints. I’ve been told it’s for “backwards compatibility”, but I see this as an issue. Granted this is only possible if you are using the Enhance API & Bearer token, and know the UUID, but it’s still a issue for people who have like myself and a few others are using the API on custom frontends.

This should be documented somewhere.

xyzulu

gmakhs this has been discussed on these forums already. It’s also not unique to Enhance but is, in many setups, the standard ‘Linux’ way. While you can list files, you do not have access to them.

As for the API Zoinkies this something perhaps Enhance can change. Maybe a ticket or feature request?

Adam

Zoinkies

As I explained in your support ticket, authorisation is based on the logged in user session or bearer token. You need to authenticate the user with the createSession endpoint and use the cookie for subsequent requests. The bearer tokens are for use by trusted systems for example your billing/provisioning system and should never be exposed to end users.

There are some endpoints which have an orgId parameter in the request path but where this variable is not used, this is not a security issue because the authentication is against the asset being accessed (website, email, etc).

Adam

gmakhs

It looks like MariaDB sets world read/execute on /var/lib/mysql where MySQL does not and you're right this will allow an unprivileged user to see the directories within but not to read them, as you have found. I think the solution is that we hide this dir from all PHP containers. Subject to testing/CI, this will be in an upcoming release.

xyzulu

I was wrong then, sorry @gmakhs and thanks @Adam

cPFence

xyzulu I was wrong then

No, you're not wrong, this isn’t unique to Enhance. Here's the output from our cPanel/CloudLinux server with CageFS activated:

[cpuser8@usvip6 ~]$ find / type f -name "file.php"

find: ‘/var/lib/mysql/***_wp90’: Permission denied
find: ‘/var/lib/mysql/***_wp776’: Permission denied
find: ‘/var/lib/mysql/***_ppdb’: Permission denied
find: ‘/var/lib/mysql/***_463’: Permission denied
find: ‘/var/lib/mysql/***_450’: Permission denied
find: ‘/var/lib/mysql/***_wp250’: Permission denied
find: ‘/var/lib/mysql/***_xino’: Permission denied
find: ‘/var/lib/mysql/***_wp831’: Permission denied
find: ‘/var/lib/mysql/***_zorbx’: Permission denied
find: ‘/var/lib/mysql/***_model’: Permission denied
find: ‘/var/lib/mysql/***_ss’: Permission denied
find: ‘/var/lib/mysql/***_c’: Permission denied

So yes, same behavior, even with Cloudlinux /CageFS in place.

cPFence

We’ve done quite a bit of testing around this and compared Enhance to CloudLinux. What we found is that Enhance provides a very similar SSH environment to CloudLinux.

Even on CloudLinux, SSH users can still see certain system-level details like this, so it’s not unique to Enhance. If Enhance manages to fully hide this info, that would be impressive, but considering even CloudLinux (with its custom kernel) hasn’t fully solved it, it’s likely not a simple task.

gmakhs

cPFence I did try it on cloud Linux and it didn't show the users , so I don't believe you 🙂

JohnB

gmakhs Its okay, I believe @cPFence + my own experience using shared hosting in the past. What you're experiencing is normal and even if Adam's fix is added, there will be others way to list usernames or directories but they won't be accessible. Again....normal.

cPFence

gmakhs so I don't believe you 🙂

Maybe try believing your eyes instead , it helps sometimes:

cloudlinux_ssh_with_cagefs

JohnB Its okay, I believe @cPFence + my own experience using shared hosting in the past. What you're experiencing is normal

That’s true even with Cloudlinux , and it’s exactly why we never allow permanent SSH access on our servers. Even if users don’t have permission to modify anything, we’re not comfortable with the fact they can still list -or sometimes view- content in directories like /opt, /var, etc.

gmakhs

cPFence for the sake of honesty and transparency i was wrong it happens with mariadb, so i apologize i was subjective

JohnB

cPFence That’s true even with Cloudlinux , and it’s exactly why we never allow permanent SSH access on our servers.

Then again, in my opinion, no one should have a site on a shared hosting provider (regardless of what panel or what company) and expect the absolute best security.