PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Dec 12, 2017 12:48 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 31 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: HTF???
PostPosted: Sun Jun 25, 2006 11:01 pm 
Offline
DevNet Evangelist

Joined: Tue Dec 21, 2004 6:00 pm
Posts: 6267
Location: Winnipeg
r57shell

What do you know about this application?

It was used to hack my CMS demo I have online... :?

I restricted file uploads to *media only* files and somehow someone used the above mentioned program to upload a PHP script such as...

somefile.php.gif

Does this depend on my server settings?

If a file has the extension GIF should it not be interpreted on the server as such???

Being sent as garbage back to the browser as it's not really a GIF file in format???

Thankfully...it was on a test server and no senstivie data was exposed...but they could potentially use this again to perform attacks...so I think I'm gonna have to shut down the demo for the time being :P

What Apache setting is responsible for letting an GIF file execute as PHP code???

Cheers :)


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jun 25, 2006 11:11 pm 
Offline
DevNet Evangelist

Joined: Tue Dec 21, 2004 6:00 pm
Posts: 6267
Location: Winnipeg
Well I know how he got the file uploaded...

It was as simple as naming the file with a GIF extension...

Is there an Apache or PHP setting which only forces only scripts who end in *PHP* to execute???

I assumed this was the default...clearly I was wrong... :oops:


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jun 25, 2006 11:16 pm 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6883
I test all uploaded images with get_image_size and chmod immediately after upload with the script for this reason.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jun 25, 2006 11:20 pm 
Offline
DevNet Evangelist

Joined: Tue Dec 21, 2004 6:00 pm
Posts: 6267
Location: Winnipeg
I'ld like to know which setting is responsible for this...

As, despite my misfortune :P

I still don't consider it a security flaw in my app...if ONLY php scripts executed and nothing else...which I blindingly assumed :P everything would be fine...

BUt yea...I might just have to check file sig's for now on :)


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 3:07 am 
Offline
DevNet Master
User avatar

Joined: Tue Nov 02, 2004 6:43 am
Posts: 2704
Location: Ireland
Astion's solution is fairly standard - getimagesize() return false if the image is not found valid. A file upload is user input - hence you filter it and don't believe the file extension ;). I suggest reading up on the area - take a few hours out. You'll never get to grips with file upload security until you do.

The file was a PHP shell script which has been doing the rounds for a few months. I have multiple copies disguised as GIF's or other files which have been uploaded onto my server - I don't error out on such infections since they're all caught and quarantined for my personal reading list...;). There are dozens of these floating around. Some are pretty complex, some are like bots which focus on specific changes. For example there was a Serendipity script floating around a while back which took advantage of the recommended 777 chmod on directories to write dozens of HTTP redirects into .htaccess files, and create new PHP scripts with obscured popup code which created popup pr0n adverts...

I would suggest it's a security flaw. My reasoning being your settings are probably not isolated out there on the internet and you did not verify the file was a valid image GIF.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 3:51 am 
Offline
Breakbeat Nuttzer
User avatar

Joined: Wed Mar 24, 2004 8:57 am
Posts: 13098
Location: Melbourne, Australia
Fix your application before fixing apache if you're trying to sell it.

The apache setting you're looking for is AddHandler.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 6:42 am 
Offline
DevNet Evangelist

Joined: Tue Dec 21, 2004 6:00 pm
Posts: 6267
Location: Winnipeg
Heres the thing...and the reason I don't consider it a *flaw*

It's a generic file manager...so checking if a file is an GIF or a PDF is pointless...cuz they could just rename the file to somefile.php.mpg or whatever...

Checking the file headers is out of the question...

I was aware of the security risks...but my mistake was assuming only PHP scripts executed when they had the extension PHP or INC

For this reason, I need to know the setting required to prevent *anything* but PHP scripts from executing...

This way...so long as I prevent uploading of PHP scripts...I should be ok...

Cheers :)


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 6:54 am 
Offline
DevNet Evangelist

Joined: Tue Dec 21, 2004 6:00 pm
Posts: 6267
Location: Winnipeg
d11wtq wrote:
Fix your application before fixing apache if you're trying to sell it.

The apache setting you're looking for is AddHandler.


AddHandler eh :)

Cool thanks...I'll look into it :)

How does a LAMP install work be default???

I mean...how did Apache know to send the file to PHP for processing...does it send every file to PHP? That doesn't make sense at all...

Does it auto-detect the file...checking for <??> and then send it to PHP???

That doesn't make sense either...

How did Apache know to send the somefile.php.gif to PHP - does it send any text file to PHP???

AddHandler, I recognize as a Apache directive...but wouldn't there be a PHP setting as well which determines which extensions get executed???

Cheers :)


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 7:44 am 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5978
Location: Odessa, Ukraine
Quote:
but wouldn't there be a PHP setting as well which determines which extensions get executed???

No. PHP dutifylly interprets any input passed to it by web-server.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 1:10 pm 
Offline
Forum Newbie

Joined: Fri May 28, 2004 3:58 am
Posts: 24
I had a quick look over the script and it just acts as an interface to make it simpler to exploit the system further.
The fact that its on the system means that your code had a hole that allowed it to be uploaded, you may be lucky and your system may actually be quite secure and patched. Its still worth some investigation thou.

Here is the link for those that are interested :
http://rst.void.ru/download/r57shell.txt


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 1:26 pm 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6883
It appears to be written pretty well.

_________________
Image


Top
 Profile  
 
 Post subject: Mime type
PostPosted: Mon Jun 26, 2006 3:01 pm 
Offline
Forum Newbie

Joined: Wed Jan 14, 2004 11:09 am
Posts: 6
Couldnt you detect the type of file based on the mime type when the file was uploaded.

Somthing like this:

Syntax: [ Download ] [ Hide ]
if($HTTP_POST_FILES['file']['type'] != "image/gif" AND $HTTP_POST_FILES['file']['type'] != "image/pjpeg" AND $HTTP_POST_FILES['file']['type'] !="image/jpeg") {
  $error = "This file type is not allowed";
  unlink($HTTP_POST_FILES['file']['tmp_name']);
} else {
   //the file is the correct format
}


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 3:02 pm 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA
the mime-type is supplied by the user uploading therefore easily faked. Not a good idea to blindly accept it.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 3:06 pm 
Offline
Forum Regular
User avatar

Joined: Mon Nov 14, 2005 5:21 pm
Posts: 878
Just use getimagesize to detect the image type. It works and if you are accepting images and NOT using this then it really is a security flaw.

You should be using that to detect the image type and if the image type doesn't match the extension used then the uploaded data should be discarded.

PHP manual in GetImageSize wrote:
Returns an array with 4 elements. Index 0 contains the width of the image in pixels. Index 1 contains the height. Index 2 is a flag indicating the type of the image: 1 = GIF, 2 = JPG, 3 = PNG, 4 = SWF, 5 = PSD, 6 = BMP, 7 = TIFF(intel byte order), 8 = TIFF(motorola byte order), 9 = JPC, 10 = JP2, 11 = JPX, 12 = JB2, 13 = SWC, 14 = IFF, 15 = WBMP, 16 = XBM.


Top
 Profile  
 
 Post subject: Other types
PostPosted: Mon Jun 26, 2006 3:06 pm 
Offline
Forum Newbie

Joined: Wed Jan 14, 2004 11:09 am
Posts: 6
In situations where you allow other file types to be uploaded such as pdfs and text files, you couldnt use the getimagesize for those files types... How would you then prevent it from happening for them?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 31 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group