Home Links
Home Page Trap for a spam - bot We work with files on PHP DDOS-attacks and methods of struggle against them PHP supports realization of the mechanism of sending of headings HTTP. Date in Russian Choice from a DB in the casual order on PHP Autentifikacija users through the Web - interface Business on podkastakh - already a reality What is PageRank Google'b and how to receive it on a maximum How to struggle with magic_quotes_gpc Heading If-Modified-Since if PHP it is not established as a fashion Php blocking Soft increase IC and PR PHP and DNS. Check of the post address How to break search about pages (a paginal conclusion of the data)? Helps on job in system Google Adsense. Bases of technology AJaX Instruction beginning{starting} khosteram on zatykaniju dyrok in PHP

topic

Instruction beginning{starting} khosteram on zatykaniju dyrok in PHP

Today one perlovhhik has asked me, and whether it is impossible in PHP through suEXEC something yes somehow to start. SHtudirovanie manuals has shown, that no, in any way it is impossible. And it is good, probably … One dyrkoj has less.

But in a manual on PHP except for functions exec and system about which I for a long time knew and like them would forbid at myself on the server, I have found still function popen. I was guarded, because precisely remembered - I in adjustments PHP did not forbid this function!

There and then from a manual the example has been copied and started. The result … has surprised. Listings of the majority of folders of the server, contents/etc/passwd, doc_root another's … virtual - servers all this has appeared at my look:-)

Code of an example:



<? if (! isset ($q)) {$q = ' ls-alp ';}?> <html>

<body>

<form method = "post">

<input type = "text" name = "q" value = “ <? = $ q?> “>

<input type = "submit">

</form>


<pre>


<? php

error_reporting (E_ALL);

$fp = popen ($q, 'r');

$read = ";

while (! feof ($fp))

{

$read. = fread ($fp, 4096);

}

echo $read;

pclose ($fp);

?>


</pre>

</body>

</html>


It was not pleasant to me also I polez in a config of the Apache httpd.conf. In the list disabled_functions I have added popen, was restarted … Zero result. Has tried to call function exec - it is caused.


Shock status …


What thus it is possible to make?

Much. The matter is that PHP it is started with the right of the Apache. And in the meantime, the Apache has access to ALL files of ALL virtual hosts. Necessity is those, differently he could not display and give them to clients. Accordingly, they can be removed. It is not enough of it to count this dyrku critical?


I do not know, how are you doing are at large khosterov, but for some reason it seems to me, that at 50 % this dyrka is.


How all the same to forbid to users of a virtual hosting through PHP to do{make} mucks, namely:

A) To read another's files from another's folders

B) To cause any system functions


Item{Point} A

On the first item{point} all appeared simply. It is not necessary to include any Safe Mode, for God's sake. It is angry. It is very much - very much inconvenient and bad. Especially, there are methods easier.

The virtual host in the Apache is created by the directive. It is natural, that for each virtual host you specify DocumentRoot. Well so let's make so that the scripts started from under this virtual host could not read a file anywhere, except for as from DocumentRoot'b. And still, let's make so that sessions for each virtual host were saved in separate folders. It too is logical, what for all to mix?


Add in section the following lines


<IfModule mod_php4.c>

php_admin_value open_basedir/home/username/

php_admin_value doc_root/home/username/html/

php_admin_value upload_tmp_dir/home/username/tmp/

php_admin_value session.save_path/home/username/tmp/

</IfModule>


mod_php4.c Replace on mod_php5.c depending on version PHP.


In this example DocumentRoot of this virtual host:


DocumentRoot "/home/username/html"


Thus, the first problem is solved. Try to make fopen ("/home/anotheruser/html/hacked.txt", "a"); - will fail.


Item{Point} B

We pass to the second item{point}.

In this case I have made two mistakes: I have set disable_functions directive there where it to do{make} does not cost; and the list of the forbidden functions was far incomplete.


Do not repeat my mistake, do not try to set parameter disable_functions in httpd.conf separately for each virtual host. At YOU WILL LEAVE NOTHING! It earlier so was possible, probably … because at me and was, and I about it somewhere have somehow read.


disable_functions It is necessary to set in php.ini. To learn{find out}, what php.ini is used at you, execute in a shell the following command:


php-i | grep ini


And with a high probability you will see, where you lays php.ini


In him, in area of 199 lines there is something like:


; This directive allows you to disable certain functions for security reasons.

; It receives a comma-delimited list of function names. This directive is

; *NOT* affected by whether Safe Mode is turned On or Off.

disable_functions =


And so. It is NECESSARY TO LIMIT the list of functions which it is VITAL on a virtual hosting:

disable_functions = ” popen, dl, set_time_limit, passthru, system, exec, proc_open, shell_exec, proc_close “


It is a minimum. I am not confident, what is it all. I from 90 % probability can uvterzhdat`, that any system call on the server will not pass. And any else muck for certain can be made.