Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #81  
Old 7th February 2006, 19:23
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am paranoid. However, I get paid to be paranoid so I guess it is ok. :-) What you think is best Till probably will be the way to go. I trust your programming skills completely and I am sure your solution will be the best all around. Once this is up I can start hacking it and see what I get.

Just checked php's online documentation and the second post ,under the escapseshellcmd, is actually from someone who is talking about the security risk of this command. His personal recomendation was the same as mine. "actualy never accept any command from external sources only proven built-in predefined commands should be executed."

from the php documentation website:
Code:
Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A  and \xFF. ' and "  are escaped only if they are not paired.
Semi old security vulnerability on window IIS with php 4.3.6 and older: http://www.idefense.com/intelligence...lay.php?id=108
Reply With Quote
Sponsored Links
  #82  
Old 7th February 2006, 23:37
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,486
Thanks: 813
Thanked 5,256 Times in 4,121 Posts
Default

You are right, we shall use when ever possible strict variable checking with a tightly limiting regex.

Where this is not possible, we shall consider to write a replacement for escapeshellcmd function for ISPConfig. What did you think?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #83  
Old 8th February 2006, 04:24
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Post

As far as rewriting escapeshellcmd goes, I think rewriting would be the best way to go. Escapeshellcmd's goal is to be a generic filter not an complete filter.

We could write one method or class that would take two variables. The first variable would be the user input variable, second variable would be what filter we would like to run. We would need to do a switch statement or if-else statements with a default method that returns a null value.

Code:
ispconfigVariableFilter(String $variable, int $checkMethod) {

if (checkMethod == 1)
    //filter method 1
    //check to see if $variable only contains [a-z][A-Z] 
    //if passes return $variable else return null
else if (checkMethod == 2)
    //filter method 2
    //check to see if $variable only contains [a-z][A-Z][0-9]
    //if passes return $variable else return null
...

else 
    return null;

}
This would make it easier to modify the filter if an exploit is found. Also, helps to keep security uniform.

As far as writing filters goes I am a strong believe of stating what a variable can contain verses what it cannot. I know I say this all the time...sorry.

I want to run this by a Black Hat(hacker) programmer and see what his opinion is also. I will post back hopefully soon.

Last edited by webstergd; 8th February 2006 at 21:03.
Reply With Quote
  #84  
Old 9th February 2006, 08:24
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I talked with my friend about the problem and had him read the entire thread. He is firmilar with ISP Config and has looked at some of the source code before, just not an indepth look. To add weight to his opinion, I would feel comfortable saying he could easily be one of the best "security" programmers in the US. Graduated from harvard, headhunted by google to be a security programmer(he declined), and all that goodness.

The reply from my friend goes as follows:

Quote:
all non user-typed form input should with the values as numbers. These should be validated against a list of allowable values, and then used as indexes into tables that retrieve filenames and such. That way the user never has the opportunity to "fuzz" any filenames that ever get accessed directly on your system.

I think my general policy is "if it ain't in a table you created and manage carefully, it should never find it's way into a URL".
Quote:
I mean, in a system ideally designed for security from the ground up you should never have to pass anything to "escapeshellcmd" because there shouldn't be any way user input would ever end up outside of your script.

In response to rewriting escapseShellCmd:
Quote:
Hmmm. I like your idea of having your own input validation function that's extensible where needed, and hopefully in some reusable module.

The important thing to make sure is that the user doesn't get to control which method their input is validated against, either. So don't make it a hidden variable on the form. it should be statically set by the developer.
In response to Tills whitelist filter for web[id]:
he said that it should do the trick. In simple terms, my friend didn't find any flaws with Tills filter for web[id]. :-)
Reply With Quote
  #85  
Old 9th February 2006, 09:03
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,486
Thanks: 813
Thanked 5,256 Times in 4,121 Posts
Default

Hi,

thanks for your efforts. I will check where we can insert this validation system in the ISPConfig classes hierarchy.

Till
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #86  
Old 7th March 2006, 21:35
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

Hi, I'm back from vacations, so I will be working again in the CMS Manager.

Cheers.

Edit: Oh, I wanted to know, How far are you from ISPConfig 3? Would this mean that I would have to do a lot of changes toy my script?
Reply With Quote
  #87  
Old 7th March 2006, 22:26
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,486
Thanks: 813
Thanked 5,256 Times in 4,121 Posts
Default

Quote:
Originally Posted by danf.1979
Hi, I'm back from vacations, so I will be working again in the CMS Manager.
Welcome back

Quote:
Edit: Oh, I wanted to know, How far are you from ISPConfig 3? Would this mean that I would have to do a lot of changes toy my script?
ISPConfig 3 will still take some time and we wont drop ISPConfig 2 with the release of ISPConfig 3 so dont worry about that. I really dont know yet how much work it will be to port this feature
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #88  
Old 1st June 2010, 17:39
jmontoya jmontoya is offline
Member
 
Join Date: May 2010
Location: France
Posts: 52
Thanks: 2
Thanked 4 Times in 4 Posts
Default

What happened with this phpnuke-ispconfig integration ?
Somebody know if there is a opensource-project-ISPconfig3 integration already available ?
Reply With Quote
  #89  
Old 2nd June 2010, 18:09
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
 
Default

Quote:
Originally Posted by jmontoya View Post
What happened with this phpnuke-ispconfig integration ?
I don't think this integration was completed.

Quote:
Originally Posted by jmontoya View Post
Somebody know if there is a opensource-project-ISPconfig3 integration already available ?
No, there's no such thing.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 05:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.