The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Attack via php session id

Discussion in 'Security' started by sehh, Jun 11, 2014.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    In the past month or so, I noticed a new attack on our servers. Many accounts of ours generate this error multiple times:

    Code:
    PHP Warning:  session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/user/public_html/somefile.php on line XXXX
    
    Apparently, this method of attack uses the PHPSESSID cookie value in the HTTP GET/POST headers, with a crazy value of invalid characters. So far, I can't see if they are trying to exploit an old bug, or if they found some new 0-day vulnerability with session handling.

    At the very least, if the server reports PHP errors to the client, then they have managed to get the following information:

    - PHP file name
    - full path to the file
    - full user home directory
    - unix user account name


    What do you guys think? information leak or remove exploit vulnerability?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Yes, it is installed and enabled. I'm using the default configuration file with a few extra updates of my own.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I recall some old bugs where you could eval code inside of referrers, session ids, etc. I can't remember the exact bugs but IIRC it was for joomla plugins that do some logs/stats; when the referers etc got logged they'd become executable code.

    If you want the full payload you could use a custom modsec rule to see exactly what data they're sending. If you need help with that, let me know.

    Also a good time to disable display_errors for PHP so that the data you mentioned (account name, script path, etc) isn't displayed to visitors/attackers.
     
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I would be interested to know the full payload. Can you please help me? I've never used the most advanced features of modsec, just simple rules to match keywords really.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Sure.

    Say the request is coming to somefile.php, you can capture any requests (including post payloads) to somefile.php with a custom rule like this:

    SecRule REQUEST_URI "somefile.php" "pass,log,id:2857467"

    When any requests are made for that file name, all the parts should be in your modsec audit log. You may want to disable cPanel's modsecparse.pl cron while inspecting this, as it empties your audit log hourly. Just temporarily move /etc/cron.hourly/modsecparse.pl out of the way to /backup/ or somewhere.

    Your data will be in /usr/local/apache/logs/modsec_audit.log and this can help you understand the parts of the request as they are logged (cookies, post data, headers, etc):

    https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLogParts
     
    #6 quizknows, Jun 11, 2014
    Last edited: Jun 11, 2014
  7. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Great work, thanks for the explanation!
     
Loading...

Share This Page