Again on PHP ; security problems

[Radio_Head]

Just yesterday , using as low as 4 line of php code I was able to do everything on a shared server (I used fopen , file , fwrite and implode) in the /home/ directories .

I was able to browse directories , reading all readable files ,
reading .htaccess files , reading php and cgi file , writing
writeable files (!) , copying files FROM /home/userb
TO /home/myaccount , retriving mysql db and password and much other.

I was able to do all that on my shared account
hosted with a great web hosting company (one of the top 20 usa hosting company), and I was able to do it on my dedicated server with cpanel installed too .

And consider that I am a linux newsbie (!) , what could be do
a linux guru with an account on a shared server running Cpanel ????

If you get a look at the php filesystem functions
http://www.php.net/manual/en/ref.filesystem.php

you can understand that with php is very easy to make
damages and to retrieve data outside the /home/user dir with
2/3 lines of php code , it's easy like read a comics !

Providing php is dangerous such as providing shell !

 

[Seven77]

PHP and Shell is no problem on shared hosting

It is not really a problem if you know enough about linux. Some easy steps - which in fact a web hosting company should know - and the server is save.

1. turn safe_mode on
2. turn suexece on

Done.

Seven

 

[Radio_Head]

The great company referred above has over 30.000 accounts.

Can you tell me why they are not using php in safe mode ?
I don't think they are so linux newsbie ....

Are you so sure that safe mode solve all problems ?

For example I have read that 'dir' class is not restricted by 'safe mode' .

 

[Radio_Head]

php 4.2.0

version 4.2.0 (some security fixes)
http://www.php.net/ChangeLog-4.php


*** Added safe_mode checks for opendir().
*** Changed php.ini directive 'safe_mode_include_dir' to accept a (semi)colon separated path (like 'include_path') rather than a single directory.
*** Fixed --enable-safe-mode configure option.
*** Re-instated safe-mode realm mangling. (?)

SAFE MODE
http://www.php.net/manual/en/features.safe-mode.php

 

[gemby]

I had same problem with php on my server, i ask everybody, redhat, my dedicated server provider, forums....nothing hepens, everybody says that this is no security hole at all.
Safe mode is not solution of your problems. If you enable safe mode, nothing will work as it should.
I solved it by add folowing in httpd.conf after DocumentRoot (for every virtual server

php_admin_value open_basedir &/home/username:/tmp&

after that everything was safe, with your &browser& you cannot browse outside your home dir.

Nick, question 4U: How to add something in some WHM script to add this automagicly in my httpd.conf when i create account?

Question 4 PHP gurus: Is there any way to add this in php.ini so adding that php_admin_value in httpd_conf for every virtual server is not nesesery, something like
php_admin_value open_basedir &/home/$USER:/tmp& - offcourse this is not working

 

[Radio_Head]

[quote:0262d0b889][i:0262d0b889]Originally posted by gemby[/i:0262d0b889]

I had same problem with php on my server, i ask everybody, redhat, my dedicated server provider, forums....nothing hepens, everybody says that this is no security hole at all.
Safe mode is not solution of your problems. If you enable safe mode, nothing will work as it should.
I solved it by add folowing in httpd.conf after DocumentRoot (for every virtual server

php_admin_value open_basedir &/home/username:/tmp&

after that everything was safe, with your &browser& you cannot browse outside your home dir.

Nick, question 4U: How to add something in some WHM script to add this automagicly in my httpd.conf when i create account?

Question 4 PHP gurus: Is there any way to add this in php.ini so adding that php_admin_value in httpd_conf for every virtual server is not nesesery, something like
php_admin_value open_basedir &/home/$USER:/tmp& - offcourse this is not working[/quote:0262d0b889]


Great! Thank you

 

[Brad]

Wouldn't this be better? Then then all file operations will be limited to files under the specified users directory.

php_admin_value open_basedir &/home/username:/public_html&

[quote:04d33fde3e][i:04d33fde3e]Originally posted by gemby[/i:04d33fde3e]

php_admin_value open_basedir &/home/username:/tmp&

[/quote:04d33fde3e]

 

[gemby]

No, it wouldn't because original syntax of open_basedir is:

php_admin_value open_basedir /home/username

but when you add it like that:
php_admin_value open_basedir /home/username1
php_admin_value open_basedir /home/username2/somethingelse

php will ignore first statement

But, multiple options is posible only like that:
php_admin_value open_basedir &/home/username:/tmp&

In your case you can do following:

php_admin_value open_basedir &/home/username/public_html:/tmp& (you must provide access to /tmp dir for number of reasons)

But have in mind that your users may write scripts to read their e-mails, pull data from webalizer, or something like that. In that case you must allow them to read-write in /home/user. There is no serious risk (i ment for entire server, not for their account) if you allow everything in /home/tmp.

Try like that ( i added this in 500 virtual servers), it works!!!