The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Again on PHP ; security problems

Discussion in 'Security' started by Radio_Head, Apr 25, 2002.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Just yesterday , using as low as 4 line of php code I was able to do everything on a shared server (I used fopen , file , fwrite and implode) in the /home/ directories .

    I was able to browse directories , reading all readable files ,
    reading .htaccess files , reading php and cgi file , writing
    writeable files (!) , copying files FROM /home/userb
    TO /home/myaccount , retriving mysql db and password and much other.

    I was able to do all that on my shared account
    hosted with a great web hosting company (one of the top 20 usa hosting company), and I was able to do it on my dedicated server with cpanel installed too .

    And consider that I am a linux newsbie (!) , what could be do
    a linux guru with an account on a shared server running Cpanel ????

    If you get a look at the php filesystem functions
    http://www.php.net/manual/en/ref.filesystem.php

    you can understand that with php is very easy to make
    damages and to retrieve data outside the /home/user dir with
    2/3 lines of php code , it's easy like read a comics !

    Providing php is dangerous such as providing shell !
     
  2. Seven77

    Seven77 Active Member

    Joined:
    Nov 7, 2001
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    PHP and Shell is no problem on shared hosting

    It is not really a problem if you know enough about linux. Some easy steps - which in fact a web hosting company should know - and the server is save.

    1. turn safe_mode on
    2. turn suexece on

    Done.

    Seven
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    The great company referred above has over 30.000 accounts.

    Can you tell me why they are not using php in safe mode ?
    I don't think they are so linux newsbie ....

    Are you so sure that safe mode solve all problems ?

    For example I have read that 'dir' class is not restricted by 'safe mode' .
     
  4. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    php 4.2.0

    version 4.2.0 (some security fixes)
    http://www.php.net/ChangeLog-4.php


    *** Added safe_mode checks for opendir().
    *** Changed php.ini directive 'safe_mode_include_dir' to accept a (semi)colon separated path (like 'include_path') rather than a single directory.
    *** Fixed --enable-safe-mode configure option.
    *** Re-instated safe-mode realm mangling. (?)

    SAFE MODE
    http://www.php.net/manual/en/features.safe-mode.php
     
  5. gemby

    gemby Well-Known Member
    PartnerNOC

    Joined:
    Feb 16, 2002
    Messages:
    182
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Pula, Croatia
    cPanel Access Level:
    DataCenter Provider
    I had same problem with php on my server, i ask everybody, redhat, my dedicated server provider, forums....nothing hepens, everybody says that this is no security hole at all.
    Safe mode is not solution of your problems. If you enable safe mode, nothing will work as it should.
    I solved it by add folowing in httpd.conf after DocumentRoot (for every virtual server :)

    php_admin_value open_basedir &/home/username:/tmp&

    after that everything was safe, with your &browser& you cannot browse outside your home dir. ;)

    Nick, question 4U: How to add something in some WHM script to add this automagicly in my httpd.conf when i create account?

    Question 4 PHP gurus: Is there any way to add this in php.ini so adding that php_admin_value in httpd_conf for every virtual server is not nesesery, something like
    php_admin_value open_basedir &/home/$USER:/tmp& - offcourse this is not working
     
  6. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:0262d0b889][i:0262d0b889]Originally posted by gemby[/i:0262d0b889]

    I had same problem with php on my server, i ask everybody, redhat, my dedicated server provider, forums....nothing hepens, everybody says that this is no security hole at all.
    Safe mode is not solution of your problems. If you enable safe mode, nothing will work as it should.
    I solved it by add folowing in httpd.conf after DocumentRoot (for every virtual server :)

    php_admin_value open_basedir &/home/username:/tmp&

    after that everything was safe, with your &browser& you cannot browse outside your home dir. ;)

    Nick, question 4U: How to add something in some WHM script to add this automagicly in my httpd.conf when i create account?

    Question 4 PHP gurus: Is there any way to add this in php.ini so adding that php_admin_value in httpd_conf for every virtual server is not nesesery, something like
    php_admin_value open_basedir &/home/$USER:/tmp& - offcourse this is not working[/quote:0262d0b889]


    Great! Thank you
     
  7. Brad

    Brad Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    231
    Likes Received:
    0
    Trophy Points:
    16
    Wouldn't this be better? Then then all file operations will be limited to files under the specified users directory.

    php_admin_value open_basedir &/home/username:/public_html&

    [quote:04d33fde3e][i:04d33fde3e]Originally posted by gemby[/i:04d33fde3e]

    php_admin_value open_basedir &/home/username:/tmp&

    [/quote:04d33fde3e]
     
  8. gemby

    gemby Well-Known Member
    PartnerNOC

    Joined:
    Feb 16, 2002
    Messages:
    182
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Pula, Croatia
    cPanel Access Level:
    DataCenter Provider
    No, it wouldn't because original syntax of open_basedir is:

    php_admin_value open_basedir /home/username

    but when you add it like that:
    php_admin_value open_basedir /home/username1
    php_admin_value open_basedir /home/username2/somethingelse

    php will ignore first statement ;)

    But, multiple options is posible only like that:
    php_admin_value open_basedir &/home/username:/tmp&

    In your case you can do following:

    php_admin_value open_basedir &/home/username/public_html:/tmp& (you must provide access to /tmp dir for number of reasons)

    But have in mind that your users may write scripts to read their e-mails, pull data from webalizer, or something like that. In that case you must allow them to read-write in /home/user. There is no serious risk (i ment for entire server, not for their account) if you allow everything in /home/tmp.

    Try like that ( i added this in 500 virtual servers), it works!!!
     
Loading...

Share This Page