HTF???

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

HTF???

Post by alex.barylski »

r57shell

What do you know about this application?

It was used to hack my CMS demo I have online... :?

I restricted file uploads to *media only* files and somehow someone used the above mentioned program to upload a PHP script such as...

somefile.php.gif

Does this depend on my server settings?

If a file has the extension GIF should it not be interpreted on the server as such???

Being sent as garbage back to the browser as it's not really a GIF file in format???

Thankfully...it was on a test server and no senstivie data was exposed...but they could potentially use this again to perform attacks...so I think I'm gonna have to shut down the demo for the time being :P

What Apache setting is responsible for letting an GIF file execute as PHP code???

Cheers :)
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Well I know how he got the file uploaded...

It was as simple as naming the file with a GIF extension...

Is there an Apache or PHP setting which only forces only scripts who end in *PHP* to execute???

I assumed this was the default...clearly I was wrong... :oops:
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I test all uploaded images with get_image_size and chmod immediately after upload with the script for this reason.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

I'ld like to know which setting is responsible for this...

As, despite my misfortune :P

I still don't consider it a security flaw in my app...if ONLY php scripts executed and nothing else...which I blindingly assumed :P everything would be fine...

BUt yea...I might just have to check file sig's for now on :)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Astion's solution is fairly standard - getimagesize() return false if the image is not found valid. A file upload is user input - hence you filter it and don't believe the file extension ;). I suggest reading up on the area - take a few hours out. You'll never get to grips with file upload security until you do.

The file was a PHP shell script which has been doing the rounds for a few months. I have multiple copies disguised as GIF's or other files which have been uploaded onto my server - I don't error out on such infections since they're all caught and quarantined for my personal reading list...;). There are dozens of these floating around. Some are pretty complex, some are like bots which focus on specific changes. For example there was a Serendipity script floating around a while back which took advantage of the recommended 777 chmod on directories to write dozens of HTTP redirects into .htaccess files, and create new PHP scripts with obscured popup code which created popup pr0n adverts...

I would suggest it's a security flaw. My reasoning being your settings are probably not isolated out there on the internet and you did not verify the file was a valid image GIF.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Fix your application before fixing apache if you're trying to sell it.

The apache setting you're looking for is AddHandler.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Heres the thing...and the reason I don't consider it a *flaw*

It's a generic file manager...so checking if a file is an GIF or a PDF is pointless...cuz they could just rename the file to somefile.php.mpg or whatever...

Checking the file headers is out of the question...

I was aware of the security risks...but my mistake was assuming only PHP scripts executed when they had the extension PHP or INC

For this reason, I need to know the setting required to prevent *anything* but PHP scripts from executing...

This way...so long as I prevent uploading of PHP scripts...I should be ok...

Cheers :)
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

d11wtq wrote:Fix your application before fixing apache if you're trying to sell it.

The apache setting you're looking for is AddHandler.
AddHandler eh :)

Cool thanks...I'll look into it :)

How does a LAMP install work be default???

I mean...how did Apache know to send the file to PHP for processing...does it send every file to PHP? That doesn't make sense at all...

Does it auto-detect the file...checking for <??> and then send it to PHP???

That doesn't make sense either...

How did Apache know to send the somefile.php.gif to PHP - does it send any text file to PHP???

AddHandler, I recognize as a Apache directive...but wouldn't there be a PHP setting as well which determines which extensions get executed???

Cheers :)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

but wouldn't there be a PHP setting as well which determines which extensions get executed???
No. PHP dutifylly interprets any input passed to it by web-server.
Chonk
Forum Newbie
Posts: 24
Joined: Fri May 28, 2004 3:58 am

Post by Chonk »

I had a quick look over the script and it just acts as an interface to make it simpler to exploit the system further.
The fact that its on the system means that your code had a hole that allowed it to be uploaded, you may be lucky and your system may actually be quite secure and patched. Its still worth some investigation thou.

Here is the link for those that are interested :
http://rst.void.ru/download/r57shell.txt
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

It appears to be written pretty well.
tarnus
Forum Newbie
Posts: 6
Joined: Wed Jan 14, 2004 10:09 am

Mime type

Post by tarnus »

Couldnt you detect the type of file based on the mime type when the file was uploaded.

Somthing like this:

Code: Select all

if($HTTP_POST_FILES['file']['type'] != "image/gif" AND $HTTP_POST_FILES['file']['type'] != "image/pjpeg" AND $HTTP_POST_FILES['file']['type'] !="image/jpeg") {
  $error = "This file type is not allowed";
  unlink($HTTP_POST_FILES['file']['tmp_name']);
} else {
   //the file is the correct format
}
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the mime-type is supplied by the user uploading therefore easily faked. Not a good idea to blindly accept it.
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Just use getimagesize to detect the image type. It works and if you are accepting images and NOT using this then it really is a security flaw.

You should be using that to detect the image type and if the image type doesn't match the extension used then the uploaded data should be discarded.
PHP manual in GetImageSize wrote: Returns an array with 4 elements. Index 0 contains the width of the image in pixels. Index 1 contains the height. Index 2 is a flag indicating the type of the image: 1 = GIF, 2 = JPG, 3 = PNG, 4 = SWF, 5 = PSD, 6 = BMP, 7 = TIFF(intel byte order), 8 = TIFF(motorola byte order), 9 = JPC, 10 = JP2, 11 = JPX, 12 = JB2, 13 = SWC, 14 = IFF, 15 = WBMP, 16 = XBM.
tarnus
Forum Newbie
Posts: 6
Joined: Wed Jan 14, 2004 10:09 am

Other types

Post by tarnus »

In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?
Post Reply