HTF???

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Re: Other types

Post by feyd »

tarnus wrote:In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?
Look through the threads linked from Useful Posts..
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Re: Other types

Post by AKA Panama Jack »

tarnus wrote:In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?
Well, if you have the PDF module installed you could try loading the file as a PDF and see if it fails using PDF_open_pdi.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Other types

Post by Chris Corbyn »

tarnus wrote:In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?
If this is a CMS you could provide the *option* to set the file types that are allowed and then check the header bytes for those types... I don't believe the overhead would be huge and it only happens when uploading a file so it's not like it's being done in a loop on every page load or anything.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Unlike what others said, I would recommend to store uploaded files in the special dir (like myhost.com/uploads/) and put .htaccess file there with RemoveType (or RemoveHandler) directive inside to prevent php execution in that specific dir.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Weirdan wrote:Unlike what others said, I would recommend to store uploaded files in the special dir (like myhost.com/uploads/) and put .htaccess file there with RemoveType (or RemoveHandler) directive inside to prevent php execution in that specific dir.
Not a bad idea, but wouldn't chmod 0444 do the same thing?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

No. There's no need for php script to be executable (in terms of filesystem attributes) to get interpreted by a web-server with mod_php installed.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

:( So even if a file is marked as non-executable it can still get executed? We need to open a thread on how to protect against this. I protect uploaded files by chmod'ing them. This is bad :(
tarnus
Forum Newbie
Posts: 6
Joined: Wed Jan 14, 2004 10:09 am

Post by tarnus »

Weirdan wrote:Unlike what others said, I would recommend to store uploaded files in the special dir (like myhost.com/uploads/) and put .htaccess file there with RemoveType (or RemoveHandler) directive inside to prevent php execution in that specific dir.
Excelent sugestion. I hadnt thought of removing the exxecutable types. That would pretty much eliminate this type of exploit.

Thanks!
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Sad So even if a file is marked as non-executable it can still get executed?
Of course. Myself, I never 'chmod +x' php files. Actually, I have the following attributes on all of my php files: rw-r--r-- (owner/group: weirdan.www).
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

I hadnt thought of removing the exxecutable types.
Just make sure you carefully read Apache manual chapters on those directives. You don't want the false sense of security, do you? :)
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Chonk wrote:I had a quick look over the script and it just acts as an interface to make it simpler to exploit the system further.
The fact that its on the system means that your code had a hole that allowed it to be uploaded, you may be lucky and your system may actually be quite secure and patched. Its still worth some investigation thou.

Here is the link for those that are interested :
http://rst.void.ru/download/r57shell.txt
It basically just returned normal variables accessible through any pHP script...DOCROOT, etc...

Nothing amazing...and the guy...didn't reall do anything fancy but uploaded a PHP script via my file upload...my bad I admit...but any tool could figure that out...

As far as I can tell they did nothing to my system...except upload the scripts...I imagine i'll be getting an email from the company if they did anything bad :P
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

AKA Panama Jack wrote:Just use getimagesize to detect the image type. It works and if you are accepting images and NOT using this then it really is a security flaw.

You should be using that to detect the image type and if the image type doesn't match the extension used then the uploaded data should be discarded.
PHP manual in GetImageSize wrote: Returns an array with 4 elements. Index 0 contains the width of the image in pixels. Index 1 contains the height. Index 2 is a flag indicating the type of the image: 1 = GIF, 2 = JPG, 3 = PNG, 4 = SWF, 5 = PSD, 6 = BMP, 7 = TIFF(intel byte order), 8 = TIFF(motorola byte order), 9 = JPC, 10 = JP2, 11 = JPX, 12 = JB2, 13 = SWC, 14 = IFF, 15 = WBMP, 16 = XBM.
I'm not going to get into this security argument again...as it's strictly subjective...

IMHO it's not a security flaw...but merely a misunderstanding of how files were processed by PHP...

Again...it's a generic file manager...so checking images using the getimage_* type functions won't work or at least serves no point...

I was well aware of the *risk* and I am well aware of how to properly check, sanitize user input...

How do you incorporate security checks for *every* single file known to man? While still remaining managable???

You check it's extension against a known array of trusted extensions, under the assumption that by using a principle of least privilege you *can*make your system fairly secure...

Problem was...I had no idea PHP executed anything thrown at it :(

I guess users will have to accept that as a generic file manager...there are inherent risks...
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Other types

Post by alex.barylski »

d11wtq wrote:
tarnus wrote:In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?
If this is a CMS you could provide the *option* to set the file types that are allowed and then check the header bytes for those types... I don't believe the overhead would be huge and it only happens when uploading a file so it's not like it's being done in a loop on every page load or anything.
Again...good in theory...but not practical...

How many files could a user potentially upload? Almost infinite...thats why I chose to use a extension check...

writing a custom header check...for every known file...or possible file...it's just not practical...

One alternative might be to use the reverse of what I have now...in that the upload script checks to see if file is potentially a PHP script and if so...exit...

But thats using the principle of most privilege...and I personally prefer the opposite...

I still think that controling which files are executed by PHP or Perl is the way to go...problem is...on Shared hosts...i'm not sure I can control those settings :(

Cheers :)
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Weirdan wrote:Unlike what others said, I would recommend to store uploaded files in the special dir (like myhost.com/uploads/) and put .htaccess file there with RemoveType (or RemoveHandler) directive inside to prevent php execution in that specific dir.
Well the problem is...

My file manager is tightly integrated with the WYSIWYG editor...so files are uploaded into directories, etc for a reason...

Images included in web pages, etc...

I also want to let people have the power of uploading PHP scripts, like PHPBB via an online FORM or a ZIP file...

Basically it's a web based file manager...which works like explorer when you click on files approproate editors are loaded, etc,...

Thats why I chose not to store files in a DB or protected directory...
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Well, you contradict yourself. You wanted people to upload php files:
Hockey wrote:I also want to let people have the power of uploading PHP scripts
and then you complain they did. :/
Post Reply