Overriding php.ini= your security is disabled

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kdman
Forum Newbie
Posts: 17
Joined: Sat Feb 09, 2008 5:52 pm

Overriding php.ini= your security is disabled

Post by kdman »

We all have a custome security changes for our server php.ini like safemode and disable_functions ... etc.

But what if the hacker just create a php.ini file in the hacked dir?
like this:
php.ini content :
safe_mode = Off
disable_functions =
safe_mode_gid = Off
open_basedir = Off

So he just say bye bye to your server security :D

Any suggestions?
I have more info about this and one hackable Solution :(
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: [Security Hole]Overriding php.ini= your security is disabled

Post by John Cartwright »

I have no idea what the purpose of your post was.

Firstly, if the users are able to arbitrarily able to upload php.ini onto your server, your server is already compromised. Who cares if they can edit your php.ini if they have control of your server.. the battle is already lost.

So what is your question?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: [Security Hole]Overriding php.ini= your security is disabled

Post by Christopher »

If your server is hacked to the point where they can overwrite your php.ini file then you can certainly "just say bye bye to your server security".

Are you on shared hosting where you have a local php.ini or something?
(#10850)
kdman
Forum Newbie
Posts: 17
Joined: Sat Feb 09, 2008 5:52 pm

Re: Overriding php.ini= your security is disabled

Post by kdman »

Ok let's do it step by step:
1 - your customer have a website on ur server.
2 - your customer have a bad secript on his website.
3 - some hacker hack the customer website.
4 - the hacker can't hack the server because of your PHP security.
5 - the hacker create a local php.ini in the hack script directory.
6 - the hacker now had none of function disabled and start to use exec(), system() ... etc.
7 - your whole server had been hacked .
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Overriding php.ini= your security is disabled

Post by Christopher »

kdman wrote:5 - the hacker create a local php.ini in the hack script directory.
There is only one php.ini file on a system. It is usually somewhere like '/usr/local/lib/php.ini' or '/etc/php.ini'. So putting a php.ini in a web documents directory will do nothing. Did you try it?
(#10850)
kdman
Forum Newbie
Posts: 17
Joined: Sat Feb 09, 2008 5:52 pm

Re: Overriding php.ini= your security is disabled

Post by kdman »

quote from http://www.php.net/configuration
php.ini is searched in these locations (in order):

SAPI module specific location (PHPIniDir directive in Apache 2, -c command line option in CGI and CLI, php_ini parameter in NSAPI, PHP_INI_PATH environment variable in THTTPD)

The PHPRC environment variable. Before PHP 5.2.0 this was checked after the registry key mentioned below.

As of PHP 5.2.0, the following registry locations are searched in order: HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x.y.z\IniFilePath, HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x.y\IniFilePath and HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x\IniFilePath, where x, y and z mean the PHP major, minor and release versions.

HKEY_LOCAL_MACHINE\SOFTWARE\PHP\IniFilePath (Windows Registry location)

Current working directory (except CLI)

The web server's directory (for SAPI modules), or directory of PHP (otherwise in Windows)

Windows directory (C:\windows or C:\winnt) (for Windows), or --with-config-file-path compile time option
And yes i had tried, DO YOU?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Overriding php.ini= your security is disabled

Post by Weirdan »

kdman wrote:And yes i had tried, DO YOU?
There are some mitigation factors you did not mention:
1) php.ini file is read only on php (webserver if you use mod_php) startup
2) On startup Apache changes current working directory to root. (which is stated in PHP manual, btw).

Thus in the most common scenario (Apache + mod_php, root folder is not writable by ordinary user) it doesn't seem to cause any security problems. If you use cgi version of PHP or some other webserver - then maybe.
kdman
Forum Newbie
Posts: 17
Joined: Sat Feb 09, 2008 5:52 pm

Re: Overriding php.ini= your security is disabled

Post by kdman »

Weirdan wrote:
kdman wrote:And yes i had tried, DO YOU?
There are some mitigation factors you did not mention:
1) php.ini file is read only on php (webserver if you use mod_php) startup
2) On startup Apache changes current working directory to root. (which is stated in PHP manual, btw).

Thus in the most common scenario (Apache + mod_php, root folder is not writable by ordinary user) it doesn't seem to cause any security problems. If you use cgi version of PHP or some other webserver - then maybe.
Thanks for this answer and I know that must be a solution.
Now a very silly question : how can I be sure if my PHP was Apache module or cgi?

Thanks :wink:
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Overriding php.ini= your security is disabled

Post by Christopher »

kdman wrote:And yes i had tried, DO YOU?
I am not the one asking for a free answer to a problem. There is no reason to be rude. It is assumed here that you will first try it before asking a question.

You can usually tell CGI by the URLs:

http://www.php.net/manual/en/security.cgi-bin.php
(#10850)
kdman
Forum Newbie
Posts: 17
Joined: Sat Feb 09, 2008 5:52 pm

Re: Overriding php.ini= your security is disabled

Post by kdman »

arborint wrote:
kdman wrote:And yes i had tried, DO YOU?
I am not the one asking for a free answer to a problem. There is no reason to be rude. It is assumed here that you will first try it before asking a question.

You can usually tell CGI by the URLs:

http://www.php.net/manual/en/security.cgi-bin.php
Sorry, My fault :mrgreen:
kdman
Forum Newbie
Posts: 17
Joined: Sat Feb 09, 2008 5:52 pm

Re: Overriding php.ini= your security is disabled

Post by kdman »

I had WHM 11, PHP-CGI 5.2.5, apache 2.0
But the local php.ini still work :?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Overriding php.ini= your security is disabled

Post by Christopher »

Have you checked these values in the Windows Registry?

HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x.y.z\IniFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x.y\IniFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x\IniFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\PHP\IniFilePath

If you define one of those, and have a php.ini in that path, then php.ini will be found before it gets to the current working directory.
(#10850)
kdman
Forum Newbie
Posts: 17
Joined: Sat Feb 09, 2008 5:52 pm

Re: Overriding php.ini= your security is disabled

Post by kdman »

That'll be a lovely fix if i using windows.

while this fix is not availble in Linus server, I had set the PHPRC env but the hacker still able to hack via .htaccess file (I hate this files but I need them :( )

Am I the only one have this hole?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Overriding php.ini= your security is disabled

Post by Christopher »

kdman wrote:Am I the only one have this hole?
No ... but there are 1,000,000s of holes like this that can happen IF your system is hacked. The solution is to prevent your system from being hacked. It would be better to spend your time auditing your system than on this.
(#10850)
kdman
Forum Newbie
Posts: 17
Joined: Sat Feb 09, 2008 5:52 pm

Re: Overriding php.ini= your security is disabled

Post by kdman »

The solution is to prevent your system from being hacked. It would be better to spend your time auditing your system than on this.
while I can't prevent users to use the open source scripts (witch normally have a hole), then my best priority is to secure the server not the web sites, every one responsible on his hole but I can't allow to hack another users on the server.

Anyway, I guess cPanel had note this problem or security hole, and they now provide a new option in Apache builder, it's called Safe PHP CGI, and the description of it was : perevent users from overriding the system php.ini
But I think it's not stable yet, because it didn't work :(

I think it'll soon fixed, until that I'll pray to never lose the server if some hacker come by
Post Reply