Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
Re: [suse-security] PHP safe mode problems...
  • From: Christian Boltz <cb.suse@xxxxxxxxxxxxxxxxxx>
  • Date: Wed, 10 Dec 2003 00:12:59 +0100
  • Message-id: <200312092137.54175@xxxxxxxxxxxxxxx>
Hello,

Am 09. Dezember 2003 12:58 schrieb Jose de Paula Eufrásio Junior:
> I got a defacing in my domains this weekend. They used and php shell
> to run some processes in the machine and replace all
> index.(html|shtml|php). They changed my users password too, and let a
> process in the /tmp dir running on port 80.

This doesn't sound like thinks that will run in safe mode ;-)

> The thing is, if I turn on PHP Safe Mode, webmail and applications
> stop working (includes and execs).

This could have several reasons - see features.safe-mode.php in php
documentation for details.

Are there any warning messages inside your scripts (when you view them
in a browser) or entries in /var/log/httpd/error.log?

> There's some way to secure PHP and don't lose half of it's
> funcionality?

- use the open_basedir setting to restrict access to a given directory
(i. e. the docroot). This also can be done per directory or per
virtual host (see below)
- set open_basedir and/or safe_mode per directory or per virtual host.
Setup your PHP "secure" and then add to your httpd.conf
<Directory /these/scripts/hate/safemode>
php_admin_value safe_mode 0
php_admin_value open_basedir "/"
</Directory>
to disable safemode and open_basedir for a specific directory.
- disable register_globals (and only enable it per directory if really
necessary): php_value register_globals 1
This can also be done in a .htaccess, but requires
AllowOverride Options (if the comment on php.net is correct ;-)
Note: If you are running Confixx, register_globals for the Confixx
directory is required :-(
- if you have multiple users on your server, maybe using php as CGI
(with Apache suExec) would be an option, but it has some disadvantages
and some scripts won't run in CGI mode without modifikation [1]

BTW:
> gpgkeys: key BAEC7E8407DF65FB not found on keyserver
(Or is is just a problem with my keyserver?)


Gruß

Christian Boltz

[1] Problems may occur with
- header() (different syntax when setting HTTP status codes)
- PHP Scripts used as "directories", i. e. index.php/param1/param2
(I like this way to pass parameters, but with CGI version it
requires additional mod_rewrite rules :-( )
- other functions I didn't have problems with yet ;-)
--
[ACPI] Du kannst da Deinen Power-Knopf konfigurieren wie Du willst.
Du kannst den auch so konfigurieren, daß der PC anfängt zu singen ...
[Ekkard Gerlach in suse-linux]


< Previous Next >