How do I prevent uploaded file to allow browsing of server?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
heiatufte
Forum Newbie
Posts: 18
Joined: Wed Mar 02, 2005 3:45 pm
Location: AA, Norway

How do I prevent uploaded file to allow browsing of server?

Post by heiatufte »

Hi there!

My server is used as a "Free webhotel", so people can register and publish their own sites, php and mysql supported. It used to run on a win xp machine :oops:.

Recently, someone uploaded a PHP script which allowed them to browse the whole server. They could also see my own site files, and eventually someone would have found the file that connects to my mysql database, and see my password.

I had to shut the site down. (The logs showed that they hadn't found the password yet though).

I eventually found out that switching to linux would be more secure. Starting from NO experience at all, I installed Fedora Core 3 and Gnome.

Now, after alot of configuring and compiling, it finally works, but to my surprise, the user could still browse the server!

I turned safe_mode and safe_mode_gid in php.ini off. No result.
Setting open_basedir to something limit would prevent include() and other functions I need to work.

Here's the script: http://home.no.net/rht87/dirtable.txt
(If it doesn't work on your server, try adding "?showdir=/<folder name>/" to the end of the URL, or "?showdir=C:\<folder name>" if windows.)

Some folders are hidden, but if the user knows it's there, it can be manually inserted into $showdir=(...). That applies to files also, $showfile=(...).

I can't reopen my site if I can't fix this problem! :cry: Does anyone know any way I can prevent this kind of file browsing? I know it's possible. And I'm open for most suggestions :D

BR/HeiaTufte
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

You need to read your webserver documentation...

And make sure that the files are uploaded or not allowed to be interpreted..

For example, make an .htaccess in the upload dir

Code: Select all

<Files ~ &quote;\.php$&quote;>
   Order allow,deny
   Deny from all
</Files>
heiatufte
Forum Newbie
Posts: 18
Joined: Wed Mar 02, 2005 3:45 pm
Location: AA, Norway

Post by heiatufte »

I want them to be interpreted, I just don't want them to be able to browse the rest of my disk.
I doubt people would be very interested in my webhotel if I don't allow them to run their own files ;)
How did you know I'm using Apache? Did you just assume? :P
I wouldn't be asking here if I didn't RTFM (well, just those parts where it's most likely to be) anyway :)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Because your scripts are executed by your webserver you have to make sure your webserver is not allowed to list those directories... or access those files...

I think it's easier to configure suPHP or suEXEC for the upload directory, and make sure all files in that directory are executed under a even more restricted user..
heiatufte
Forum Newbie
Posts: 18
Joined: Wed Mar 02, 2005 3:45 pm
Location: AA, Norway

Post by heiatufte »

Thanks!

I downloaded suPHP, and made it work (never tried/heard of before though).
The malicious script has some problems downloading files that doesn't have read permissions for "others" now! But so has apache.
Opening an html document which doesn't have read permissions for others than "root" will give an 403 Forbidden error.

My apache program is self-compiled, so I don't have a user for it. The user "apache" belongs to the pre-compiled apache installation that came with FC3. I don't think I have apxs with that one though, so suPHP wouldn't work.

Anyway, how can I now add a user in a way so that all files can be read via the http daemon, while PHP can't see any? And, is it safe to give the whole disk only root access? How do I do that, anyway? Or perhaps you have a better suggestion.

As you probably can see, I'm not that experienced :oops: but I'm learning ;)
Post Reply