php-fpm allows phpsysinfo?

[uk01]

Hi, we discovered something a few minutes ago.
I wanted to check we block phpsysinfo script.

Domain with php-fpm turned off - /phpsysinfo internal server error (static) / page not found (wordpress)

Domain with php.fpm turned on - allows /phpsysinfo and reveals all server info!

What is causing this difference?
It doesn't seem to matter what's in php.ini disable functions, the above happens.

 

[cPanelMichael]

Hello @uk01,

Can you verify the specific method you used to adjust the disable_functions php.ini directive? The process to do so is different with PHP-FPM, as described on the following resource:

Tutorial - Managing php.ini directives with PHP-FPM

Thank you.

 

[uk01]

I did it here WHM >> Software >> MultiPHP INI Editor to modify php.ini directives globally for each specific version of PHP.

I was of the understanding that PHP-FPM user pool values (ApachePHPFPM directory) take precedence over changes made using the MultiPHP INI Editor.

Therefore MultiPHP INI Editor are the base settings and should be honoured if an account is switched to PHPFPM? If no extra settings are set in ApachePHPFPM directory the base settings should apply?

This does cause issues with clients using php.ini editor in Cpanel as they are ignored but that's another case.

 

[cPanelMichael]

Hello @uk01,

I did it here WHM >> Software >> MultiPHP INI Editor to modify php.ini directives globally for each specific version of PHP.

I was of the understanding that PHP-FPM user pool values (ApachePHPFPM directory) take precedence over changes made using the MultiPHP INI Editor.

The global php.ini file (configured using WHM >> Software >> MultiPHP INI Editor) takes precedence over the custom php.ini directives configured for an individual domain's pool. See this section of the resource:

Caveat - PHP_INI_SYSTEM mode
PHP assigns php.ini directives with modes that determine the extent to which a directive is changeable. The following PHP documents define these modes and list the mode type for each php.ini directive:

PHP: Where a configuration setting may be set - Manual
PHP: List of php.ini directives - Manual

With this in mind, it's not possible to completely override the php.ini directive values configured in the PHP version's global php.ini file (WHM >> Software >> MultiPHP INI Editor) for directives associated with the PHP_INI_SYSTEM mode, even when directly modifying a PHP-FPM YAML configuration file. For example, let's say the following line is configured for PHP version 7.0 in WHM >> MultiPHP INI Editor >> Editor Mode:

disable_functions = popen,proc_open

If you were to to setup passthru,system as the value for disable_functions (using option B in Step 5 above), then the actual PHP disabled functions for the domain would include passthru, system, popen, proc_open. Additionally, the PHPINFO output will only display what you've configured in the PHP-FPM YAML file, even though additional PHP functions are disabled. This is an artifact of how PHP and PHP-FPM work as opposed to how each is implemented with cPanel & WHM.

Thus, since you configured the disable_functions directive globally, those settings should in-fact apply no matter what's configured individually for the account. However, the PHPINFO output will only display what you've configured in the PHP-FPM YAML file, even though additional PHP functions are disabled. This is an artifact of how PHP and PHP-FPM work as opposed to how each is implemented with cPanel & WHM.

Can you let me know how exactly you have configured the disable_functions line (both in MultiPHP INI Editor and in the YAML file) so I can attempt to reproduce the behavior you noted on a test system and see why it's not working as expected?

Thank you.

 

[uk01]

Hi just realised I didn;t reply:

Its set as
disable_functions = "ini_set,show_source,system,shell_exec,phpinfo,passthru,exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,highlight_file,escapeshellcmd,define_syslog_variables,posix_uname,posix_getpwuid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,posix_uname,ftp_exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_fput,ftp_raw,ftp_rawlist,ini_alter,ini_restore,inject_code,syslog,openlog,define_syslog_variables"


in the php.ini editor part of WHM. This is set for php5.6, 7, 7.1, 7.2
thanks

 

[cPanelMichael]

Hello @uk01,

Is there an actual PHPSYSINFO script uploaded to the document root of the two domain names you noted in your initial post? For instance, can you let us know the full steps we can take to reproduce the issue?

Thank you.

 

[uk01]

To reproduce, download phpsysinfo/phpsysinfo

Upload to any cpanel account with PHP-FPM activated

Rename php.new in the folder.

Visit www.thedomain.com/phpsysinfo or whatever the folder name was

It'll display
- hostname
- load
- kernel version etc
- memory
- swap
- machine name
- Processor info
- PCI SCSI etc
- all mounted filesystems
- System usage

Even network usage!

Interestingly it shows errors "proc_open() has been disabled for security reasons"

This particular account is set on PHP5.6 with PHP-FPM
phpinfo is disabled in disable_functions

If I turn PHP-FPM off, I get internal server error when running /phpsysteminfo, so when PHP-FPM is on, it allows this system info to be shown...

 

[LucasRolff]

Hi @uk01,

It's not a security issue in php-fpm, it happens with other handlers as well.

To be fair, in environments today the disable_functions ini setting isn't something that should be relied on, many environments (including shared) ships with handlers that allows overriding php.ini settings, including disable_functions, this means people can override the default ones provided by the host.

The stats the phpSysInfo gives are by no means a security issue, let me explain why:

Hostname:
It will be known to anyone anyway

Load:
This can be seen in cPanel under "Server Information" as well, the load doesn't reveal anything important other than the actual load. If you're offering SSH or have the "Terminal" in cPanel enabled, people can simply do "uptime" and they'll see the load.

Kernel Version:
Can be seen by "uname -a" through SSH or the "Terminal", "Server Information" in cPanel.

Memory:
This is exposed by the /proc/meminfo or free -m - revealed system memory doesn't matter.

Swap:
Same as for memory - it doesn't matter.

Processor Info:
Can be seen from /proc/cpuinfo - nothing secret here

Mounted File Systems:
Can be seen from /proc/mounts, nothing here is a secret.

Network usage:
This can be pulled from /proc/net/dev and doesn't contain any information that can't be known to customers.

Even if you're using CloudLinux that locks down things that shouldn't really be exposed to customers or between customers, there are still things like network usage, (some mounts) etc you can see. If you're afraid of this information being available, then you shouldn't host the clients on a server in first place.

But more importantly, you should realize that none of the information exposed by phpSysInfo should be seen as confidential or "secrets", you can hide a bunch of things using CloudLinux, but the exposed information when you're running CloudLinux is completely fine.

If you're afraid of the kernel version, then update the kernel frequently (and reboot) or use something like KernelCare that patches your kernel every 4 hours if there's new security updates.

Load, memory or swap isn't "secret", and what CPU you use shouldn't be a secret either.

Possible "hackers" can't really use much of this either, so I'm not sure what the actual problem is with this data being exposed.

 

[uk01]

Great reply and confirms my thoughts.

My concern was more the fact it was ignoring the Php.ini but as you say these can be over ridden anyway.

The fact the custom Php.ini file doesn’t actually work with phpfpm is forcanothe thread.

Thanks for your info! Appreciate your time