A reminder that upgrading your server might shut down parts of the security related components and leave services unintentionally exposed.
Upgrading should not be done without proper filtering of unwanted incoming traffic (via for example a firewall in front of the server).
Here we can see some database passwords and cryptographic secrets exposed during #debian13 upgrade due to PHP being down while the httpd was not.
#infosec #cybersecurity
@harrysintonen@infosec.exchange I hadn't thought of that, good point!
Post mortem:
This issue was made possible by a misconfiguration whereas "AllowOverride none" was used by accident. That made it possible to read the configuration file even though .htaccess file preventing it is in place.
So this in part this specific issue was a mistake by the admin (read: myself). I think it still highlights an issue that could occur in many other ways as well. It is best to restrict network access to servers when upgrading them.
PS: If you can't do things right at least make it possible for others to learn from your mistakes. ๐
@harrysintonen@infosec.exchange That's bonkers
@harrysintonen@infosec.exchange this really shouldn't happen, and I wonder what the exact config here is. In an fpm setup, which I believe is the common thing these days, you would not have your fpm daemon run, and your server returns an error.
@harrysintonen@infosec.exchange my old sysadmin was terrified of this specific problem so years and years ago we amended our php.ini, added a directory to the include_path outside of the website root and agreed that all functional code would live there and only presentation/formatting code would live in the website root.
It was a really solid system but it's made it a real bitch to look for outside hosting to migrate to now that my current sysadmin just doesn't /want/ to maintain a web server anymore.
An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!