Forum Index Search Forum Register Log in

Runs on XP to Win 10

Current

Download 7.0

Download 7.1 Beta5 upgrade



A donation makes a contribution towards the time and effort that's going in to running this site.

Steffen

Contact:
My mail address is
at the top of the paypal form :

Your donations will help to keep this site alive and well.


Update your links !! November 2016 the forum is at www.apachelounge.com/sambar

In the forum there are links to sambarserver.info,
replace "sambarserver.info" with "apachelounge.com/sambar"
Security advise: disable_fuctions in PHP

 
Post new topic   Reply to topic    Sambar Forum Index -> How-to's & Documentation & Tips
View previous topic :: View next topic  
Author Message
Steffen



Joined: 07 Jun 2004
Posts: 413
Location: Netherlands

PostPosted: Mon 06 Dec '04 16:48    Post subject: Security advise: disable_fuctions in PHP Reply with quote

A lot of you know it already, but still I want to share;

Today a Sambarian reported to me that users with upload facility where able to excute windows commands.

They uploaded a script and could execute it:

<
shell_exec('c:/del *.*')
>


And also they where able to grab all the passwords from the passwd file in the config directory.

It is advised to put in your php.ini:

disable_functions = "phpinfo,dir,readfile,shell_exec,exec,virtual,passthru,
proc_close, proc_get_status,proc_open,proc_terminate,system"

With this setting users cannot execute windows commands. Note that also phpinfo is in the list, to prevent that users can see your php configuration.


Last edited by Steffen on Sun 08 May '05 14:22; edited 1 time in total
Back to top
View user's profile Visit poster's website
Brian



Joined: 07 Jun 2004
Posts: 67
Location: Graham, WA USA

PostPosted: Sat 11 Dec '04 7:03    Post subject: Reply with quote

I agree with your suggestions, however with setting the basedir the ability for the user to reach beyond the limits set by the basedir should be firm and so that such commands as readdir would then be safe if I am understanding correctly.

But yes, I agree about PHP_INFO() and all the others such as EXEC and so on.

There is NO need for people to execute such commands. Here again while I love Sambar and still use it, there is no way it can handle the security that Apache can with vhost control over every aspect of the PHP.INI file. You can have a unique PHP.INI config basically for every single vhost (with a little work). That is stength and flexibility.

Interesting thing I read, I am sure this is not new to many but there is a way to set up a UNIX server, likely a BSD server I suspect such that it is a "virtual dedicated-located" server. This way if Apache for me crashes it does not crash it for you ... on the same box and cpu and ram and so on ... whew. In a nut shell there is a way to keep one "virtual dedicated server" from having ANY effect on another or the rest of the server for that matter. How is that possible?

I bit OT yes but it ties in with my concern about security. It is very easy to right a script to tie up the server's CPU. So then how to locate that script?

For example, I have about 275 clients right now. I am confident that they cannot go places where I do not want them. But ... but how can I prevent them from bring the server down from withing thier own boundries?

TY for the topic here Steffen, very important one indeed.

I have to say it again too, the site looks just outstanding. You have done a very fine job.

--
Brian
Back to top
View user's profile Visit poster's website
waldbauer.com



Joined: 08 Jun 2004
Posts: 105
Location: Vienna

PostPosted: Thu 16 Dec '04 13:00    Post subject: Reply with quote

Thats a big problem - each skript which allows upload and edit files through web can be modified to execute abuse commands on the remote computer.
Back to top
View user's profile Visit poster's website
Brian



Joined: 07 Jun 2004
Posts: 67
Location: Graham, WA USA

PostPosted: Thu 20 Jan '05 5:27    Post subject: Reply with quote

I missed this follow up ... sorry for a very delayed post here.

Anyway, actually in Apache you can restrict per directory what content can be "uploaded" as in you are editing a page / file with a baic text edit field or even a wysisyg.

MOD_SECURITY allows for filtering of any type of content that is submitted via GET or POST. So it is quite easy to block javascript for example. Another example is the ability to upload and execute SQL instructions. There are a ton of already written filters that one should at least look at when choosing to go with this mod for Apache.

Also, it is not hard to configure PHP to prevent a person from gaining access outside his or her vhost container. In fact it is darn easy to block that. Perl on the other hand, please educate me.

In fact I am pretty sure MOD_SECURITY would have been able to block that recent PHPBB exploit that injected some SQL instructions if the proper filters were in place. Though I am not 100% sure of that, from what I have read and seen it should have been possible.

How could I ever enable CGI globally on my server (Perl in this case) and keep people from executing scripts outside of thier vhost container (the directory that is).

THat is to say, that the scripts that they have don't reach beyond that point and that they do not access scripts beyond that point. I have never understood how to secure Perl. I have posted this in a ton of places and as dumb as I am with Perl it would be easy as apple pie to write a script to do naughty things.

--
Brian
Back to top
View user's profile Visit poster's website
waldbauer.com



Joined: 08 Jun 2004
Posts: 105
Location: Vienna

PostPosted: Sat 28 Jul '07 9:31    Post subject: Reply with quote

Old thread;new question - open basedir per vhost possible ?
Back to top
View user's profile Visit poster's website

Post new topic   Reply to topic    Sambar Forum Index -> How-to's & Documentation & Tips
Page 1 of 1