MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Can an administrator escape from /public_html/forum/ ?
Full Version: Can an administrator escape from /public_html/forum/ ?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

sysrq

2010-11-23, 11:42 AM
Every user in a MyBB forum has specific rights, which can set by an administrator. A normal user has limited rights. A adminstrator can do anything.

Suppose that my MyBB forum is installed in a subdirectory called /public_html/forum/. In /public_htm/ and also in the root folder / are very important files, and I don't want that other people have acces to this files.

But when I give an user administrative rights in the MyBB forum, is this user then able to escape from the /public_html/forum/ subfolder and can access files in different folders like in /public_html/wiki/ or or /public_html/ or even in the root folder /? If so, then this would be a major security problem.

I am very affraid to give users administrative rights and don't know what I should do. I don't want to get hacked by an administrative user.

~Rs

2010-11-23, 12:10 PM
uhm, admins don't have access to your database o.O

you can also limit admin permissions in the acp

sysrq

2010-11-23, 12:18 PM
(2010-11-23, 12:10 PM)~Rs Wrote: [ -> ]uhm, admins don't have access to your database o.O

I didn't ask about database access, but about filesystem access. For example if my MyBB forum is installed on /public_html/forum/. Is an administrative user able to the access the file /public_html/foo.txt or even /foo.txt ?

(2010-11-23, 12:10 PM)~Rs Wrote: [ -> ]you can also limit admin permissions in the acp

I'll have a closer look at the ACP. But can I say in the ACP which folders in the filesystem a user is able to access?

E-Hero Kyle

2010-11-23, 12:36 PM
That's why there is something called CHMOD

sysrq

2010-11-23, 12:45 PM
(2010-11-23, 12:36 PM)E-Hero Kyle Wrote: [ -> ]That's why there is something called CHMOD

Can you please specify how you would solve my problem with chmod?

I don't think that chmod is an answer to my question. Each HTTP request to the forum is handled by a PHP instance or PHP process, which is always as the same user. Let's call this user phpuser. The PHP process doesn't know about the MyBB user management. It can't distiguish between a normal and an administrative user.

When I give a specific file a chmod of 000, then nobody can access it, no normale and also no administrative user. This is because the PHP process phpuser can't distinguish between them. When I give a file 644 access, then again, an administrative user and a normal would be able to acces it, because in the context of the PHP process both would have an effectively file access right of 6.

Do you understand my concerns about filesystem access?

Sajuuk

2010-11-23, 01:08 PM
If you do not want people to go to your root domain (eg www.mybb.com) then redirect it to your forums. If you don't have a front page at the root domain, then people would just see a list of folders in public_html (the root of the domain)

sysrq

2010-11-23, 01:30 PM
(2010-11-23, 01:08 PM)Kyuubi Wrote: [ -> ]If you do not want people to go to your root domain (eg www.mybb.com) then redirect it to your forums.

I want people to see my root domain.

Let me explain my problem in another way. An administrator has a special administrative area where he can modify different files. For example he can change a theme or other .php files to modify or extend the behavior of the forum.

PHP as a programming language offers a lot of flexibility. For example getcwd() returns the directory where the currently executed .php file is located in the file system. There is also chdir() to change the current directory, for example to get a folder up in the file system hierarchy.

My question is if it is possible for an administrative user to execute maliciouse code in MyBB, to get access to files which are not in /public_html/forum/

For example if I would be a bad person and I want to see if there is something interesting or if I want to steel some files, I would try to execute PHP code like the following:
$directory = getcwd();
// $directory = /public_html/forum
$pos = strrpos($directory,'/');
$directory = substr($directory,0,$pos-1);
// $directory = /public_html
echo scandir($directory);
chdir()

This would return me a list of all files and directories in /public_html and is good starting to look for interesting files and later I can decide to print the content of a specific file and steel content.

My question is is an administrative user able execute arbitrary PHP code to do anything he wants? I am not talking about injecting code, but only of executin it once, which is enough to get the necessary information to look for interesting information and potentially stell it.

Sajuuk

2010-11-23, 01:32 PM
Users can't do anything on your server if they don't have an FTP account. I'm not sure how you expect someone to run PHP code if they can't access the server.

Matt

2010-11-23, 01:35 PM
Anybody can access a file in your file system if they know the path, doesn't matter if they're an admin or not. Someone being an admin has absolutely zero effect on access to actual files anywhere in your file system. If you give them access to edit something, then yes obviously there's a chance they can abuse it, but MyBB has no ability to enter and run PHP other than in an actual file that's already uploaded.

(2010-11-23, 12:18 PM)sysrq Wrote: [ -> ]But can I say in the ACP which folders in the filesystem a user is able to access?

What on earth...?? How is it MyBB's job to handle what files on your server people can access?? o.O

sysrq

2010-11-23, 01:48 PM
(2010-11-23, 01:32 PM)Kyuubi Wrote: [ -> ]Users can't do anything on your server if they don't have an FTP account.

I don't agree with this Kyuubi. A user doesn't need to have an FTP account to access data, if he can execute arbitrary PHP code.

The critical point is the filesystem. A FTP-account is just a comfortable way for file hosters and users to upload and modify on a local filesystem. Everybody knows what FTP is and how to handle an FTP-client. But FTP is not the only way to access local files.

PHP also is able to read and modify files in the filesystem to provide a specific service to users.

Again: the critical point is the data on the filesystem. And there are at least two ways to access this data: 1. with FTP and 2. with PHP-code.

(2010-11-23, 01:32 PM)Kyuubi Wrote: [ -> ]I'm not sure how you expect someone to run PHP code if they can't access the server.

I guess with "...access the server..." you mean an FTP-access, right? An FTP-account is not necessary to get access to local files in the filesystem. Also a FTP-script is able to access files and modify them in an arbitrary way.

(2010-11-23, 01:32 PM)Kyuubi Wrote: [ -> ]I'm not sure how you expect someone to run PHP code

Well, basically every user initiates with each HTTP-request that PHP is executed. The question is what code is executed or what the purpose the executed code has. Usually it is good code. But if an user is able to execute arbitrary code, then also bad things are possible.

And that is what I want to know: is an administraitve user able to execute arbitrary code?
Pages: 1 2
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Can an administrator escape from /public_html/forum/ ?