The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security issue with phpSuExec / php.ini settings

Discussion in 'Security' started by qwerty, Dec 2, 2004.

  1. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    We use cpanel and phpsuexec ..

    We disable functions inside the server's main php.ini

    I just noticed today that if a customer uploads an empty php.ini (or with contents, but empty will work too) inside their public_html that NONE of the disabled functions are disabled any longer.

    eg. if you disable shell_exec, system etc inside your main php.ini and a customer uploads an empty php.ini to their space, they can use those functions.

    I don't think this used to be the case, even with phpsuexec and suspect it may be a bug/hole.. can someone confirm?

    The reason I don't think this used to be like this is because I remember quite clearly that we tried enabling a disabled function for a customer, even trying custom php.ini in customer's root dir, but it never worked ie. functions which were disabled in the main php.ini COULD NOT be re-enabled on a per-customer basis. But now it seems this is possible ... ?!

    And it's not just the disable_functions that is reset/overriden when a customer uploads an empty php.ini, ALL of your php.ini settings are reset to the defaults or whatever the customer puts inside their php.ini - ie. any restrictions you placed in the main server's php.ini are no longer applicable for this customer.
     
  2. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    Its supposed to work this way.
    This is because phpsuexec runs PHP in CGI mode.

    If its run as an apache module the user cant use his own php.ini


    Also maybe unrelated to this issue but if any of the exec, system, passthru etc... functions are enabled it is possible for the user override any php restriction as executed programs are not subject to php restrictions such as safemode etc...
     
  3. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    same here

    yes I just checked on my server: disabled functions can indeed be enabled by the user through a local php.ini file.
    :(
     
  4. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    Wow, took you all long time to notice that... I have known that for almost 2 years now.. ( man how times flies. )
    That is why you should always watch your clients... i.e. we use a script and locate and/or find to find new php.ini and watch what people use it for.

    Not much worse than many things you can by-pass with .htaccess

    As always you should watch who you give accounts too and also watch what they do with it.
     
  5. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This can be a downside, but the other way to view it, is because you are using phpsuexec any php script will run as that user. So if users do not have access to certain binaries, they won't be able to run them. Also if they try to create files, those files will be owned by them, so you can easily trace them. Its just one of those things you have to deal with.
     
  6. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    :) Just got my first server 2 weeks ago. I would be gratefull indeed if you could give me an idea how to write such a monitoring script!

    I wanted to use a similar script to watch /tmp directory for executable files uploaded (or other suspicious)

    perhaps something using find and sending mail in case of a match.
     
  7. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    I think you're wrong people ...

    I remember quite clearly a couple of months ago a customer needing the 'exec' function and since it was disabled in the main php.ini there was nothing we could do. I had tried everything to un-disable it by placing a custom php.ini in the customer's homedir, but it didn't do jack ..
     
  8. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    custom php.ini must be in the same folder as the .php file and this only works when phpsuexec is on.
     
  9. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    And the sky is blue. What's your point? I know that.

    But an empty php.ini shouldn't automatically un-disable disabled functions (that were disabled in the main server's php.ini) and it does. It didn't use to do so. Get it?
     
Loading...

Share This Page