Possible exploit?

[eluser]nevercraft[/eluser]
I have two domains hosted on the same dedicated server. For some odd reason, I decided to see if I was able to hook into the CI application on one domain from the other. I was kind of surprised to see that it worked... but it seems like this may present a big security risk for people on shared servers.

To explain this better I'll quickly detail each application's setup:

abc.com:
$system = '/home/abc/system/';
$application = '/home/abc/application/';

xyz.com
$system = '/home/xyz/system/';
$application = '/home/xyz/application/';

You can then adjust the index.php file for xyz.com so that the $system and $application directories point to abc.com's application. Just below the inclusion of CodeIgniter.php, you can do something like print_r($CI->db->get('users')->result_array()) to see a list of users, or even worse someone could run an update, insert, or delete. Or, $CI->db->list_tables() to see your entire DB structure. At that point they could really do anything they wanted.

This isn't really a big issue for me, since I'm one of 5 people on the server (and the only one who knows PHP). However, the best solution I can think of to deter this would be to name your application directory something completely random.

Its possible this is due to the Apache configuration on my server - if so just let me know. I just thought I should mention it in case it could be exploited on a shared hosting account.

[eluser]richthegeek[/eluser]
i would have thought this problem was more to do with the UNIX home directories not being secure - on my Ubuntu setup, I can't access the home directory of another user without becoming root.

If it is likely to be a problem, get on the blower with your hosting company.

[eluser]nevercraft[/eluser]
I thought it might be a permissions issue at first too, but I'm not so sure.

I've seen mass hosting environments that chmod their user directories 711. The user has his own group as well. This allows the user to write, read, and execute in their home dir, and group/world can execute. This is required so that the web server user (usually www-data or nobody) can access the content within.

I've also seen setups where the user directory is chmod'd 710. The directory is owned by the user, and the group nobody (or www-data) is allowed to access it.

This prevents other users from being able to do something like ls /home/someoneelse and seeing their content. On the boxes I have access to, you can do something like ls /home/someoneelse/www/ and see anything in that directory though.

Unfortunately, I don't have access to any shared boxes with multiple sites running on them to test this more. Still, it seems that any PHP file that is run, the Apache user is going to need read access to the file (IE chmod'd 644). Since hosts usually run all of their Apache threads with under single user, the application files could still be included as far as I know.

I'm the admin on the server I work on, so this isn't a problem for me - I'd just hate to see it become a problem for someone else.

[eluser]frith[/eluser]
I'm not seeing how this is a Code Igniter problem at all.

[eluser]frith[/eluser]
Ok found it.
http://shiflett.org/articles/shared-hosting

This article explains in good detail why shared hosting often comes with inherant security risks such as the one you're experiencing. It isn't a CI problem or even a PHP problem (the reason safe_mode isn't all that safe) It's a Unix file system problem that occurs because apache is run under a single user.

[eluser]Derek Jones[/eluser]
Indeed, hosts that cater to PHP driven sites should be running apache as your user account, not www/apache/nobody.