The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I need serious security help!!

Discussion in 'Security' started by chadi, May 25, 2004.

  1. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    I ran the cpanel.php security check by a-squad

    Performing white box security audit...
    PASSED: cPanel INSTALLED (9.3.0-CURRENT_4)
    FAILED: Privileged UID Vulnerability Check (99) Explain
    FAILED: nobody execution Explain
    FAILED: Stealth Snoop Vulnerability [/home/vns] Explain
    PASSED: Simple $HOME Scanning [/home/vns]
    PASSED: Group $HOME Scanning [/home/vns]
    PASSED: Root /home scanning
    PASSED: Simple WEBROOT Protection
    FAILED: Real WEBROOT Protection Explain
    FAILED: SUEXEC mod_php Exploit Test Explain
    EXEC [id -a] as [vns]:

    uid=32013(vns) gid=514(vns) groups=514(vns)

    FAILED: One or more insecure cPanel configurations were detected. Visit A-Squad.Com for details on where to find more secure cPanel hosting.

    Explanations:
    #2 The special UIDs below 500 are for internal use and should not be used by unprivileged users.

    #3
    You are executing as the nobody user probably because you are using mod_php. Allowing different unprivileged users to execute arbitrary code as a common user is bad. Why? If you are the administrator of the server, it makes it more difficult to track which of your users are running programs that are grinding away the CPU or who is spamming or who filled up your /tmp partition with 800 GIGABYTES of MP3s, porn, warez, etc. If you are the user, it means that other unprivileged users on the system can view and execute any of your programs within your directory that need to be run as this common user. How can you stand to have a site hosted on a server like this?
    NOTE: All the following issues are easy to fix by simply switching from mod_php to mod_phpsuexec.

    #4
    Your home directory is world reachable or executable. This means everyone can get into your home directory (using chdir) and snoop around your files and directories without your knowledge or consent as long as the exact target file or directory is known to the snooper. You must individually lock down each and every file and directory (using chmod) that you do not explicitly want to let everyone see.
    NOTE: This is one of the most difficult vulnerabilities to fix. If you cannot figure out how to protect your system against this issue, then don't worry. I think A-Squad is the only one smart enough to figure out how to lock down this issue while still allowing ALL services to function perfectly. This is only a precautionary vulnerability but not a direct problem itself.

    #9
    Even if Simple WEBROOT protection is enabled, other users can bypass it and still access all the files within your document root. It is not possible to have Real WEBROOT Protection without mod_phpsuexec because the same user that needs access to serve your static pages (nobody) is the same user that other users on the machine are allowed to execute arbitrary code using php scripts. Trying to restrict users using open_basedir might help a little, but it doesn't stop the user from executing arbirary code in another language (like perl) and obtaining total access to your web documents and scripts.

    #10
    Any user on your machine can execute any arbitrary command as any other user on your machine. This is probably the most severe vulnerability of all. If you are the administrator, you can eliminate this vulnerability by disabling mod_php when you recompile Apache (option 2). If you are the user, then I suggest you frequently make backups of your site since everyone has access to read, manipulate, and destroy all of your files and directories.
    If you move to A-Squad, you'll be safe.

    PLEASE HELP ME FIX THIS!!!!

    I already updated to Apache 1.3.1 - What next? When they say for example switch from mod_php to php_suEXEC where in WHM do I do this? I'm guessing "update apache" but what should I check and uncheck during the update?
     
  2. GuiPos

    GuiPos Well-Known Member

    Joined:
    Jul 9, 2003
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Indonesia / Germany
  3. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    That does help. I've done that already. Can someone please help!
     
  4. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    I enabled phpsuEXEC supoprt and update everything else including suEXEC now got this error for our order form:

    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.
    Please contact the server administrator, "email" and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.


    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
     
  5. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    if this is from a Perl script error and you have enabled suexec, then besure that the folder(s) your scripts are executed from are chmoded 0755 and the script(s) are executable.

    Mickalo;)
     
  6. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    This is not a perl script.
     
  7. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    What does your error log tell you?

    You may also want to check the ownerships of the php script(s) giving you problems.
     
  8. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    What do you mean the ownerships of the php scripts? I'm the owner of the order form where it uses php and the databases remain the same name/passwords and all. Why would phpsuexec cause this?
     
  9. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    some php scripts, especially ecommerce scripts, tend to cache/write /tmp and session files under user nobody.
     
  10. NexGenUK

    NexGenUK Active Member

    Joined:
    May 7, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    phpSUEXEC

    I have also encountered this problem; PHP suEXEC does not seem to work with php 4.3.3 However, when you re-compile with php 4.3.6 and suexec etc. it works a treat...

    Hope this helps
     
  11. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    Ok but will I have to notify my clients to update anything such as permissions or whatever if I do enable phpSuExec with php 4.36?
     
  12. NexGenUK

    NexGenUK Active Member

    Joined:
    May 7, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    You shouldnt need to; php suEXEC basicly labels the php process to the user, rather then appearing as being run by "nobody". If you update, no-one is likely to notice...
     
  13. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    phpsuexec makes php run as cgi rather than as an apache module. That's a pretty big change. Some people will notice, as there are some scripts that simply won't work when run as cgi. ;)
     
Loading...

Share This Page