Php Security, System Commands

[digip]

If the admins want to remove this or edit for content purposes, I understand, but please let me know so maybe we can reword it and leave out the actual code if you think it is too much for the forums. I will totally understand.

First off, I want to make sure you understand that I do not intend to post this with people using it to disrupt any services, hosting or sites you may want to target. This is a full disclosure of something I have found from just playing with a few or my own machines, my website and friends websites. It is so you can better understand what level of security your host or webserver has setup and only intended for practical, educational purposes. DO NOT BE A DICK AND TRY THIS AGAINST SOMEONES SITE, EITHER BY XSS OR UPLOAD SCRIPT EXPLOITATION. Please be an adult and responsible with how you use this info.

By default on a lot of web hosting systems PHP is usually mismanaged with permissions given to PHP at an almost root level. I wanted to test my site to see what it would allow me to peek at, change, execute, and was glad to see that Dreamhost blocks a lot of commands, as well as keeps path traversal reserved for root users, and not normal users who host sites with them. This keeps people from browsing other users files which may have info you normally wouldn't see from the browser, or even know was there.

I also help design web pages for a few friends and have access to their hosting accounts so I tried this on several different servers and host comapnies. One such test I tried revealed some interesting results which can be kind of scary if your host is not fully up to date on their security settings.

Below are a few things you can try on YOUR server to see what weaknesses it has. If these two commands work, then chances are your site could become compromised from other users on the same server. This is because a lot of companies do not use dedicated hosting, and you can see all the virtual sites listed on the server and the user accounts belonging to them.

One is for *nux servers, the other for windows, and the results will vary depending on permissions set by sysadmins. These commands should not return anything other than what is in your home directory path for your website and the process of php itself. If it returns anything more than this, such as paths outside, or below your home directory, then your host company has not set things up properly and may be compromised using php the traverse the server.

For Linux systems with PHP, create a page with the following, upload to and then access it from your website:

<textarea cols="105" rows="20">
<?
system("ps -aux");

echo "\r\n";
echo "\r\n";
echo "\r\n";

system("ls ../../../* -alR");
?>
</textarea>

Windows:

<textarea cols="105" rows="20">
<?
system("tasklist");

echo "\r\n";
echo "\r\n";
echo "\r\n";

system("dir.bat");
?>
</textarea>

For windows add a file named dir.bat to the same directory as your php script with the following code in the bat file:

cd \ 
DIR /AH /AS /B /S

edit: The script will probably timeout unless an override is put in php.ini for max_execution_time longer than 60 seconds

If you get some results to all the live processes running and able to see files of other system users, root folders, etc, chances are you can stop processes, reboot servers, stop and start services, etc, etc, etc. Not a good day for the sysadmin. DO NOT ACT LIKE A DUMBASS AND TRY TAKING OVER A SERVER. YOU WILL GET CAUGHT! This is just so you can test your own machines or hosted sites, and then let them know to lock it down so people can not browse your sites files from other accounts on their server, etc.

[Tenzer]

If this is going to help anyone, it's probably a good thing to include information on how to fix these security aspects.

I remember I once found a PHP script which could check all kinds of PHP settings, and tell which ones are insecure, and what it would recommend you to set them to, but I can't remember where I found it anymore :/

[MRGRIM]

Useful stuff, I will try it on my SBS box when I get home.

[digip]

If this is going to help anyone, it's probably a good thing to include information on how to fix these security aspects.

I remember I once found a PHP script which could check all kinds of PHP settings, and tell which ones are insecure, and what it would recommend you to set them to, but I can't remember where I found it anymore :/

<?php
    phpinfo();
?>

Shows your default php settings in current use. You can turn on/off settings by creating a php.ini file in your root server path where you webside files reside, or just edit the one for the server. I like to just add a second one and leave the default one alone, so I know what changed I made by having a seperate one of my own in my home folder. This way anything I mess up can be undone and I know what I did vs the original php.ini settings.

This alone is only one step to look into, but this won't stop your site from being viewed or traversed from within the host itself though, if other users can execute shell commands. The other is chagning ownership or group permissions for shell commands(anything that can be run from system("some_command") in php). The PS command for instance should probably not be used by anyone other than root. Same goes for bat scripts or known paths to exe's on windows, as well. If someone had an upload script on their server that didn't clean user input and allowed ph files to be uplaoded or executed, then a whole host of issues arise. Some people use upload scripts for sharing files with friends on their how servers, so this is a big problem if anyone webside can see whats running, list files and execute commands. Granted, the system command in php is usefull for real work getting done, it poses a big threat from outside users if you have it disabled on your site, but the host has it enabled for all oter users and you share the same host.

[Tenzer]

<?php
    phpinfo();
?>

No, it wasn't phpinfo() I was looking for, it was this script: http://phpsec.org/projects/phpsecinfo/

It checks various settings in php.ini and suggests any changes that could improve the security.

[digip]

No, it wasn't phpinfo() I was looking for, it was this script: http://phpsec.org/projects/phpsecinfo/

It checks various settings in php.ini and suggests any changes that could improve the security.

The problem with this is, even if you have these features disabled on your server, other users on the server might not, and they would be able to then run the system() command on the server. If the Host hasn't turned it off using something like "disable_functions = system" globally for all virtual hosts, then your site can still be traversed and possibly taken over from another virtual host on the shared server. Obviously you want to plug any loop holes from people coming to your site through the web, but the problem here lies not in people coming to your site from the web, but people who share a server with you from your hosting company.

Quick example, GoDaddy hosting. I ran a few things from my friends hosted account, and I was able to see all running processes, traverse ALL files and folders from the root path down except for files explicity set to root only, such as shadow, sgroup, etc, but I was able to see all the other virtual hosts on the machine, their home directories and their account names and sites files for each site hostsed on the server. I should not have been able to leave my home directory, or make it to a higher level that precedes my home directory. This is a big problem, and one of the reasons I see why GoDaddy sites get hit so often for defacements. I haven't tried it, but I would bet that I could then move files into other peoples sites and deface their pages. My friends account has had this happen several times and they did it directly through the web browser while visiting his site, so I can only imagine what would happen if this were done on the server side system wide. You could write a script to go out and deface, replace, delete, etc, ALL the sites on the hosts server because you are already on the inside and they allowed you to traverse the network with executable shell commands. Who knows what commands could be allowed, but better to know if you can escape your home path on a shared server. If so, let your host know so they can plug the hole and block people from using shell commands against other accounts.

[Tenzer]

The reference to phpsecinfo was meant as a supplement to the information you provided - In case you missed that...

If webhosters haven't configured file/folder permissions properly, allowing users to edit in other peoples files, then it's just insane. I hope that is not the case anywhere.