Surpass Web Hosting Forums - View Single Post

**cowboy** · April 22nd, 2006, 4:56 AM

My intent is not to deny anything, but rather to help others having a problem with their sites that use PHP after the decision to activate phpSUexec on all servers. That decision has been made without any consultation with me. We simply need to help with getting the problems solved.

I agree 100% with haugland's last post, when PHP is run as an apache module.

Script exploits stem from someone devising a way to write a script file to your space without a FTP password and make it run, doing things like changing file permissions, changing file content, and even deleting files. This can be done relatively easy when "nobody" or "the world" is allowed the right to run their scripts in someone else's space, generally referred to as 'hacking'.

The tool which has been made available that removes this very relaxed method in which Apache allows PHP to run, to that of a 'Common Gateway Interface' (CGI), is this new activation of PHPsuExec.

With the ability of "the world" or "nobody" running these renegade scripts using Apache, a potential equal to the total users on the internet has access to run these files in your own space. Millions.

Allowing only one user to write a file to your space, the one who has the FTP password, the odds are reduced from Millions to One.

Personally, I like those odds. I like them so well that I also use the Apache suexec module and force Apache to adhere to "set user" rules. My sites will even refuse to honor execution commands from scripts I might upload as the Server Administrator leaving them belonging to the big boss "root".

Each domain has a unique user and they can only work outside of their space by the scripts owned by the user, requesting root intervention.

Be concerned by the owner of the file. A file permission between 0444 and 0755 will work (directories 0755) and at the same time not leave cause for security breach. As has been noted in haugland's post, anyone can chmod a file in Apache. Only a user/owner can write a file with PHPsuExec.

Today I see someone else is still confused as to who owns the files. I have written the following script for anyone to copy and name fileinfo.php and upload to their public_html directory. Running http://yourdomain/fileinfo.php will let you enter a path and file or directory name and it will return the owner, group and the permissions.

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
            "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Help me find the file owner</title>
</head>
<body leftmargin="10" topmargin="10">
<?php 
if ($_POST){
$startscript=$_POST['source']; 
$startscript=preg_replace('/^\//','',$startscript);
$startscript=preg_replace('/^.\//','',$startscript);
$startscript="./".$startscript;
$fileowneruid=fileowner($startscript); 
$fileownerarray=posix_getpwuid($fileowneruid); 
$fileowner=$fileownerarray['name']; 
$filegroup=$fileownerarray['gid'];
$fileuserid=$fileownerarray['uid'];
$fileperms=substr(sprintf('%o', fileperms($startscript)), -4);
echo "Details for <b>$startscript</b><br><br>";
echo "Owner ID is --: $fileuserid<br>";
echo "Owner name is --: $fileowner<br>"; 
echo "Group ID is --: $filegroup<br>";
echo "File permissions are --: $fileperms<br>";
}
?> 
Enter the path (relative to this file) and name of the file or directory you want ownership and permission for:
<form method="POST" action="<?=$_SERVER['PHP_SELF']?>">
<input type="text" size=100 name="source">&nbsp;<input type="submit" name="s1" value="GO">
</form>
</body>
</html>

April 22nd, 2006, 4:56 AM	#13 (permalink)
cowboy Surpass Fan Excelling Contributor Joined in Nov 2005 Lives in Colorado Hosted on DEDI 934 posts Gave thanks: 2 Thanked 94 times	My intent is not to deny anything, but rather to help others having a problem with their sites that use PHP after the decision to activate phpSUexec on all servers. That decision has been made without any consultation with me. We simply need to help with getting the problems solved. I agree 100% with haugland's last post, when PHP is run as an apache module. Script exploits stem from someone devising a way to write a script file to your space without a FTP password and make it run, doing things like changing file permissions, changing file content, and even deleting files. This can be done relatively easy when "nobody" or "the world" is allowed the right to run their scripts in someone else's space, generally referred to as 'hacking'. The tool which has been made available that removes this very relaxed method in which Apache allows PHP to run, to that of a 'Common Gateway Interface' (CGI), is this new activation of PHPsuExec. With the ability of "the world" or "nobody" running these renegade scripts using Apache, a potential equal to the total users on the internet has access to run these files in your own space. Millions. Allowing only one user to write a file to your space, the one who has the FTP password, the odds are reduced from Millions to One. Personally, I like those odds. I like them so well that I also use the Apache suexec module and force Apache to adhere to "set user" rules. My sites will even refuse to honor execution commands from scripts I might upload as the Server Administrator leaving them belonging to the big boss "root". Each domain has a unique user and they can only work outside of their space by the scripts owned by the user, requesting root intervention. Be concerned by the owner of the file. A file permission between 0444 and 0755 will work (directories 0755) and at the same time not leave cause for security breach. As has been noted in haugland's post, anyone can chmod a file in Apache. Only a user/owner can write a file with PHPsuExec. Today I see someone else is still confused as to who owns the files. I have written the following script for anyone to copy and name fileinfo.php and upload to their public_html directory. Running http://yourdomain/fileinfo.php will let you enter a path and file or directory name and it will return the owner, group and the permissions. Code: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Help me find the file owner</title> </head> <body leftmargin="10" topmargin="10"> <?php if ($_POST){ $startscript=$_POST['source']; $startscript=preg_replace('/^\//','',$startscript); $startscript=preg_replace('/^.\//','',$startscript); $startscript="./".$startscript; $fileowneruid=fileowner($startscript); $fileownerarray=posix_getpwuid($fileowneruid); $fileowner=$fileownerarray['name']; $filegroup=$fileownerarray['gid']; $fileuserid=$fileownerarray['uid']; $fileperms=substr(sprintf('%o', fileperms($startscript)), -4); echo "Details for <b>$startscript</b><br><br>"; echo "Owner ID is --: $fileuserid<br>"; echo "Owner name is --: $fileowner<br>"; echo "Group ID is --: $filegroup<br>"; echo "File permissions are --: $fileperms<br>"; } ?> Enter the path (relative to this file) and name of the file or directory you want ownership and permission for: <form method="POST" action="<?=$_SERVER['PHP_SELF']?>"> <input type="text" size=100 name="source"> <input type="submit" name="s1" value="GO"> </form> </body> </html> __________________ Where would you be if you were at the highest court in the land (US)?