Page 1 of 1

Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 6:11 pm
by kdman
We all have a custome security changes for our server php.ini like safemode and disable_functions ... etc.

But what if the hacker just create a php.ini file in the hacked dir?
like this:
php.ini content :
safe_mode = Off
disable_functions =
safe_mode_gid = Off
open_basedir = Off

So he just say bye bye to your server security :D

Any suggestions?
I have more info about this and one hackable Solution :(

Re: [Security Hole]Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 6:16 pm
by John Cartwright
I have no idea what the purpose of your post was.

Firstly, if the users are able to arbitrarily able to upload php.ini onto your server, your server is already compromised. Who cares if they can edit your php.ini if they have control of your server.. the battle is already lost.

So what is your question?

Re: [Security Hole]Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 6:18 pm
by Christopher
If your server is hacked to the point where they can overwrite your php.ini file then you can certainly "just say bye bye to your server security".

Are you on shared hosting where you have a local php.ini or something?

Re: Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 6:42 pm
by kdman
Ok let's do it step by step:
1 - your customer have a website on ur server.
2 - your customer have a bad secript on his website.
3 - some hacker hack the customer website.
4 - the hacker can't hack the server because of your PHP security.
5 - the hacker create a local php.ini in the hack script directory.
6 - the hacker now had none of function disabled and start to use exec(), system() ... etc.
7 - your whole server had been hacked .

Re: Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 7:03 pm
by Christopher
kdman wrote:5 - the hacker create a local php.ini in the hack script directory.
There is only one php.ini file on a system. It is usually somewhere like '/usr/local/lib/php.ini' or '/etc/php.ini'. So putting a php.ini in a web documents directory will do nothing. Did you try it?

Re: Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 7:23 pm
by kdman
quote from http://www.php.net/configuration
php.ini is searched in these locations (in order):

SAPI module specific location (PHPIniDir directive in Apache 2, -c command line option in CGI and CLI, php_ini parameter in NSAPI, PHP_INI_PATH environment variable in THTTPD)

The PHPRC environment variable. Before PHP 5.2.0 this was checked after the registry key mentioned below.

As of PHP 5.2.0, the following registry locations are searched in order: HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x.y.z\IniFilePath, HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x.y\IniFilePath and HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x\IniFilePath, where x, y and z mean the PHP major, minor and release versions.

HKEY_LOCAL_MACHINE\SOFTWARE\PHP\IniFilePath (Windows Registry location)

Current working directory (except CLI)

The web server's directory (for SAPI modules), or directory of PHP (otherwise in Windows)

Windows directory (C:\windows or C:\winnt) (for Windows), or --with-config-file-path compile time option
And yes i had tried, DO YOU?

Re: Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 7:47 pm
by Weirdan
kdman wrote:And yes i had tried, DO YOU?
There are some mitigation factors you did not mention:
1) php.ini file is read only on php (webserver if you use mod_php) startup
2) On startup Apache changes current working directory to root. (which is stated in PHP manual, btw).

Thus in the most common scenario (Apache + mod_php, root folder is not writable by ordinary user) it doesn't seem to cause any security problems. If you use cgi version of PHP or some other webserver - then maybe.

Re: Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 7:58 pm
by kdman
Weirdan wrote:
kdman wrote:And yes i had tried, DO YOU?
There are some mitigation factors you did not mention:
1) php.ini file is read only on php (webserver if you use mod_php) startup
2) On startup Apache changes current working directory to root. (which is stated in PHP manual, btw).

Thus in the most common scenario (Apache + mod_php, root folder is not writable by ordinary user) it doesn't seem to cause any security problems. If you use cgi version of PHP or some other webserver - then maybe.
Thanks for this answer and I know that must be a solution.
Now a very silly question : how can I be sure if my PHP was Apache module or cgi?

Thanks :wink:

Re: Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 8:13 pm
by Christopher
kdman wrote:And yes i had tried, DO YOU?
I am not the one asking for a free answer to a problem. There is no reason to be rude. It is assumed here that you will first try it before asking a question.

You can usually tell CGI by the URLs:

http://www.php.net/manual/en/security.cgi-bin.php

Re: Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 8:17 pm
by kdman
arborint wrote:
kdman wrote:And yes i had tried, DO YOU?
I am not the one asking for a free answer to a problem. There is no reason to be rude. It is assumed here that you will first try it before asking a question.

You can usually tell CGI by the URLs:

http://www.php.net/manual/en/security.cgi-bin.php
Sorry, My fault :mrgreen:

Re: Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 8:51 pm
by kdman
I had WHM 11, PHP-CGI 5.2.5, apache 2.0
But the local php.ini still work :?

Re: Overriding php.ini= your security is disabled

Posted: Sat Feb 09, 2008 9:35 pm
by Christopher
Have you checked these values in the Windows Registry?

HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x.y.z\IniFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x.y\IniFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\PHP\x\IniFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\PHP\IniFilePath

If you define one of those, and have a php.ini in that path, then php.ini will be found before it gets to the current working directory.

Re: Overriding php.ini= your security is disabled

Posted: Sun Feb 10, 2008 10:19 am
by kdman
That'll be a lovely fix if i using windows.

while this fix is not availble in Linus server, I had set the PHPRC env but the hacker still able to hack via .htaccess file (I hate this files but I need them :( )

Am I the only one have this hole?

Re: Overriding php.ini= your security is disabled

Posted: Sun Feb 10, 2008 12:48 pm
by Christopher
kdman wrote:Am I the only one have this hole?
No ... but there are 1,000,000s of holes like this that can happen IF your system is hacked. The solution is to prevent your system from being hacked. It would be better to spend your time auditing your system than on this.

Re: Overriding php.ini= your security is disabled

Posted: Tue Feb 12, 2008 4:41 pm
by kdman
The solution is to prevent your system from being hacked. It would be better to spend your time auditing your system than on this.
while I can't prevent users to use the open source scripts (witch normally have a hole), then my best priority is to secure the server not the web sites, every one responsible on his hole but I can't allow to hack another users on the server.

Anyway, I guess cPanel had note this problem or security hole, and they now provide a new option in Apache builder, it's called Safe PHP CGI, and the description of it was : perevent users from overriding the system php.ini
But I think it's not stable yet, because it didn't work :(

I think it'll soon fixed, until that I'll pray to never lose the server if some hacker come by