What good is WebServer uid ?

root

Ok, I assume some of you have read about the ikonboard hole which displays any file that the webserver uid has the rights to read.

For details goto..http://darknet.securityinfos.com/exploits/daemon/cgi/ikonboard.htm
lynx http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
by: Martin J. Muench (muench@gmc-online.de)

But I'm wondering what use this hole is to a potential attacker?

I can read /etc/passwd as can any user with a local shell.However because I don't have root uid I can't read /etc/shadow and almost every unix box uses password shadowing now a days.I can read alot of other files like /etc/hosts etc..

Can anyone suggest interesting/helpful files to read ?

dogs

It's bad because you're letting an attacker find out more information about your machine.

A lot of web-apps store their authentication details in their config files. On a well-run system with multiple users, it should only be readable by that specific script, but too often they're left wide-open and world readable.
This would give an attacker access to a db account (if they were this lazy setting up the script, how likely is it they've filtered connections to the db?)

Other scripts I've seen keep users account
details, (with passwords stored in the clear *sigh*), in files that end up world-readable. This is a real problem if any of those users have logins/access to other services on the machine as, generally, there's always a couple users that use the same password for everything.

I can't think of any links off-hand, but a look through some of the web-apps on freshmeat should show you what I mean.

HTH.

[This message has been edited by dogs (edited 30-04-2001).]

nitr0s

Not all sys admins and operating systems enforce shadow passwords.