Thread: Site security
View Single Post
  #2  
Old 19th October 2011, 10:12
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,034
Thanks: 826
Thanked 5,382 Times in 4,229 Posts
Default

The above example is not directly related to ispconfig or the use of ispconfig on a server, this is a general issue on site security for PHP scripts, just to make this clear to other readers.

If a php application allows such queries, then the php app has a bug as php apps should never include or access content that is passed to them as get variable without sanitizing the content. Nevertheless, I'am aware that such apps still exists. In ISPConfig, there is already a open_basedir restriction set for every website that restricts access to the web directory, so opening a file in /proc with php fopen or include / require functions should not be possible in the default configuration.

I just did a small test with this php file:

Code:
<?php
include($_GET['content']);
?>

and the output is as expected:

Code:
Warning: include() [function.include]: open_basedir restriction in effect. File(../../../../../../../../../../../../../../../proc/self/environ\0) is not within the allowed path(s): (/var/www/clients/client1/web1/web:/var/www/clients/client1/web1/tmp:/usr/share/php5) in /var/www/clients/client1/web1/web/test.php on line 2

You can enhance this protection by installing mod_security as you described in your post or add some apache directives and I really recommend that. I'am not sure what the performance impact of using mod_security on a server is, this should be evaluated to make a decision if we should include that in the default perfcet setup install or if its better to make a new general tutorial on techniques to secure php websites where we can explain in detail the pros and cons of the various options.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 19th October 2011 at 10:16.
Reply With Quote