I have a customer who wants safe mode off, popen enabled and url_fopen enabled.
This is for some sort of CMS.
I noticed that Magento also requires similar things to be enabled.
And I've just encountered something I wanted to investigate - OwnCloud - which requires safe mode off and popen enabled.
The php running as the FTP user in FastCGI mode, just how dangerous is this in real as opposed to theoretical terms, especially since open_basedir is still in effect and most other "dangerous" functions are disabled?
When the customer wants something dangerous
When the customer wants something dangerous
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: When the customer wants something dangerous
Thanks for the question, so heres our take on these:
"safe mode off"
Moderate to low risk, the key value people got from this was that if the PHP script wasnt owned by the user Apache was running as, it wouldnt run. Which was (and is) designed to prevent someone else from putting PHP scripts in your world writable html directory, like another user on the box.
popen
https://www.atomicorp.com/wiki/index.php/Vuln_php_popen
Basically, think of this as the same as "system", "shell_exec" and "exec". It means if the popen functions are poorly written, the bad guys to run any command they want on your system. Equally, if they upload a piece of PHP malware that uses those functions it will work. The later is just as important as the former, because there is a lot of PHP malware outthere that cant do anything unless you allow one of these kinds of functions to work.
url_fopen
https://www.atomicorp.com/wiki/index.ph ... _url_fopen
Really really bad. This means a URL is treated as a file, from any server on the internet. That means you can tell PHP that the PHP file it wants to load is running on a box the bad guy controls. I cant tell you how many PHP apps have had a vulnerability that was solely preventable because of this function.
With that said, ASL will stop RFI attacks, so if you have to do this you are losing an important layer of defense in depth but you arent completely exposed.
"safe mode off"
Moderate to low risk, the key value people got from this was that if the PHP script wasnt owned by the user Apache was running as, it wouldnt run. Which was (and is) designed to prevent someone else from putting PHP scripts in your world writable html directory, like another user on the box.
popen
https://www.atomicorp.com/wiki/index.php/Vuln_php_popen
Basically, think of this as the same as "system", "shell_exec" and "exec". It means if the popen functions are poorly written, the bad guys to run any command they want on your system. Equally, if they upload a piece of PHP malware that uses those functions it will work. The later is just as important as the former, because there is a lot of PHP malware outthere that cant do anything unless you allow one of these kinds of functions to work.
url_fopen
https://www.atomicorp.com/wiki/index.ph ... _url_fopen
Really really bad. This means a URL is treated as a file, from any server on the internet. That means you can tell PHP that the PHP file it wants to load is running on a box the bad guy controls. I cant tell you how many PHP apps have had a vulnerability that was solely preventable because of this function.
With that said, ASL will stop RFI attacks, so if you have to do this you are losing an important layer of defense in depth but you arent completely exposed.
The problem is popen is the equivalent of things like system, exec, etc. And the bad guys write their payloads to try all the equivalent functions, so if you have one enabled, its basically like having them all enabled.and most other "dangerous" functions are disabled?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: When the customer wants something dangerous
If you must work with remote files: use the PHP cURL library in stead of allow_url_fopen.
Lemonbit Internet Dedicated Server Management
Re: When the customer wants something dangerous
Wonderful info. Thanks guys!
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: When the customer wants something dangerous
and suhosin could be helpful here, that would allow you to create whitelists of URL's that php functions can access, among many of its other features.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: When the customer wants something dangerous
Just remember to benchmark your suhosin performance, it like anything else thats doing work can cause slowdowns in some cases:
http://www.hardened-php.net/suhosin/benchmark.html
http://www.hardened-php.net/suhosin/benchmark.html
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: When the customer wants something dangerous
We use suhosin on all our systems as a matter of course. Specifically to blacklist functions on a per-domain basis. I wasn't aware that it could whitelist URLs for fopen as well. Most interesting indeed.
We've not noticed any performance issues with it, but I've never benchmarked it.
We've not noticed any performance issues with it, but I've never benchmarked it.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>