"Hack" in to localhost root directory from a VM web app - apache

I have apache VM web app running locally. It's red hat.
It's PHP based but the main page is index.html. I am able to to into sub-directories for images and such, I wanted to know if it is possible for me to gain access to the directories that contain the php code, probably just one level above the images directory. Because of index.html, it forces the load, and I am unable to see server files.

Yes there used to be a trick called dot-dot-traversal that could do this. Basically you put two dots into a URL and climb above the web root. Something like http://www.example.com/../../../../etc/shadow . Occasionally a new way to exploit the vulnerability is discovered, but mostly it is rare. Unless you're running an old server, you should be pretty safe.

Related

Website move: how to block/detect all HTTP requests to old domain

I'm moving a website from old.com to new.com/old, but I have to make sure it works before deleting old.com.
It's a very large legacy website that probably has links, images, scripts and other things hardcoded to old.com. The problem is that these references to old.com aren't obvious since the site loads up perfectly since old.com is still up.
Is there a way to block all requests to old.com from my local machine only, or some other tool to make finding these references simpler?
The former is done by updating your hosts file on your local machine to point old.com to something else, this overrides what the internet DNS states. The latter very much depends on how your application is build and there is not enough info here.

How to bypass red5 demo page on start up?

At present, I start up red5 in linux command line ./red5.sh and it runs the script. Then I go to http://localhost:5080 demos page to set up my camera and audio input and all works fine in testing the stream both on demo page and in swf of my webpage.
Question is, do I need to include some java and/or action script for the swf player to
bypass the red5 demo page so I can directly connect my input and stream in the code of the page? Also so only logged in webpage viewers can connect?
Overall wondering if there is a way of hiding the server stream from anyone not logged in to view it on my site? I understand in webapps folder somewhere there is the hosts list of IP but it would be impossible to know the IP of the viewers as opposed to unwanted viewers or bandwidth stealers.
I am trying to set up a site for poetry readings and make it so readers can record live to my server and then logged in viewers can view from my website. I am trying to figure out whether I must have that red5 page open and if that doesn't pose some kind of risk.
Found my own way of doing this just by removing and renaming files and folders.
If you go to usr/local/red5/webapps here lies all the directories for viewing when you go to default port 5080 so I simply installed the applications I needed and then took everything out of there except those applications I wanted and needed to run. I took out all and placed it in a folder in /var directory named it red5_movedstuff in case I want access to further applications later on.Then I renamed the applications I am using in webapps folder and kept admin folder to access them but I renamed my applications and had to importantly rename also in WEB-INF for each application name change.
Now if someone goes to myip:5080 they get a blank page and by changing names of applications I've hidden my directories beyond that including list of streams.

OS X Lion - Website sharing , display directory files

I need some help to get Mac WebSite sharing to work as i want.
Basically i need to know how i can make it display the files of a directory.
Do i need to make a website to show my directory files or is there any other way ?
And if i do need to make a website to display my directory, what code should i use to do so ?
I am no expert on HTML at all.
Allso, i have been searching around for this and i couldn't find any answers related to my question.
You need to turn indexes on in your Apache config. This could be on by default. Check to see if you have folder named Sites in your home directory. If you do rename the index.html page (if there is one) and then navigate to http://localhost/~yourusernamehere.
The same applies if you are using the default apache directory (the system wide one) which is located in /Library/WebServer/Documents if I remember correctly. In this case you would navigate to http://localhost. I just checked on my system (OS X 10.7) and the indexes were enabled by default.
You will need to use a server-side language such as PHP, Java, ASP.NET if you want to display the 'servers' directory on a web page. I will say because you're a begineer use PHP as it's very easy to learn...
Download MAMP / XAMPP.
Research PHP and follow some tutorials first, and then implement directory searching and output it as HTML.
http://php.net/manual/en/ref.dir.php
Code:
http://css-tricks.com/snippets/php/display-styled-directory-contents/

Issue in hosting a webapplication in a local machine

I have developed a webapplication in my local machine. the application is hosted on tomcat 7.0.22 server. the application is accessed using http://localhost:8080/app
When i use this in my localmachine, I am not facing any problems. But when I intend to share the link with my fellow team mates using the links http://myipaddress:8080/app, I am getting Javascript errors. I placed the js files in the build path of the application.
Even i have noticed the tables width are changed in the same browser
I am unable to find the problem. Can any one help
Thanks,
Vamsi
When testing on your own machine, use your own IP instead of "localhost" and should be able to compare apples with apples and avoid confusing cause and effect.
I would say to check the configuration of your host or vhost files, but if all included JS files are on the same host, that is unlikely to be the problem.
My guess is that you hard coded a path somewhere or that the problem is related to some other difference between testing from your machine and their machine (different browser, versions, plugins, etc) and not actually related at all to the domain. Could possibly also be a file permission problem (but that is a wild guess).

Ubuntu Lucid, cgi-bin, and MathTex

So I have several dedicated servers out there running Ubuntu Lucid server. They primarily run WordPress sites - LAMP. However, one of my original sites is a controls engineering site that uses MathTex to render the equations.
MathTex is pretty hard on servers. The engineering site is still hosted on the original VPS which runs something like CentOS (but that's irrelevant). The traffic and numbers of renderings that MathTex creates cause resource issues with my VPS. I've been able to allocate more resources to the VPS but ultimately this gets expensive. So I'd like to offload the equation rendering to my dedicated servers all of which are much more powerful and under-utilized.
So I've followed the instructions on installing and compiling MathTex. And MathTex works fine from the command line. However, when I attempt to call the script via my browser the browsers all try download the cgi file (I've tested on Firefox and Chrome on 2 machines).
This led me to attempt to compile and install on my home Ubuntu box that is Ubuntu desktop. The command line works fine. However, again when calling the function in my browser it wanted to download the file instead of rendering an equation. So I moved the mathtex.cgi script to /usr/lib/cgi-bin. Still no go. Then I changed /usr/lib/cgi-bin to 777 and it worked. I changed /usr/lib/cgi-bin to 755 and it stopped working.
So my home box works when /usr/lib/cgi-bin is 777. I tried that one of my dedicated Ubuntu servers and still no go. My browser still attempts to download the file.
The directive for Apache to find the cgi-bin directory is in /etc/apache/site-available/default. And at a quick glance they appear to be identical (I haven't yet studied every character).
FYI
I got some help from my hosting company. They are generally pretty good but this is outside the scope of what they provide for free. So when I was switching servers I had a couple of password issues and managed to tack this question on as well.
The support person finally got the mathtex.cgi script to run by creating a /cgi-bin under the domain's folder. Making that folder 777 and adding an AddHandler cgi-script to the http.conf. Then he restarted Apache2.
I had been putting mathtex.cgi under a generic /cgi-bin directory that I had intended to share among all the domains as needed. And this generic /cgi-bin directory appeared to be what the MathTex installation instructions were suggesting.
Hope this helps someone else.