#1  
Old 19th October 2011, 09:00
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 55 Times in 38 Posts
Send a message via Skype™ to SamTzu
Lightbulb Site security

%00 is known as a "poison null byte" attack. "Response 200" is not what we want to see. System commands can be included after that line.

Check if you can see your page with this command after the domain part...
Quote:
/?content=../../../../../../../../../../../../../../../proc/self/environ%00
Easy way to prevent this is to include this line in the .htaccess file.
Quote:
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
I have been meaning to address this problem. Should 'Perfect Server' also have mod_security installed and enabled? Or can we include that RewriteCond on server level in the Apache config?

You can install mod_security in Debian with these commands...
Quote:
apt-get install libapache-mod-security
a2enmod mod-security
/etc/init.d/apache2 force-reload
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
Sponsored Links
  #2  
Old 19th October 2011, 10:12
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,792
Thanks: 821
Thanked 5,338 Times in 4,188 Posts
Default

The above example is not directly related to ispconfig or the use of ispconfig on a server, this is a general issue on site security for PHP scripts, just to make this clear to other readers.

If a php application allows such queries, then the php app has a bug as php apps should never include or access content that is passed to them as get variable without sanitizing the content. Nevertheless, I'am aware that such apps still exists. In ISPConfig, there is already a open_basedir restriction set for every website that restricts access to the web directory, so opening a file in /proc with php fopen or include / require functions should not be possible in the default configuration.

I just did a small test with this php file:

Code:
<?php
include($_GET['content']);
?>

and the output is as expected:

Code:
Warning: include() [function.include]: open_basedir restriction in effect. File(../../../../../../../../../../../../../../../proc/self/environ\0) is not within the allowed path(s): (/var/www/clients/client1/web1/web:/var/www/clients/client1/web1/tmp:/usr/share/php5) in /var/www/clients/client1/web1/web/test.php on line 2

You can enhance this protection by installing mod_security as you described in your post or add some apache directives and I really recommend that. I'am not sure what the performance impact of using mod_security on a server is, this should be evaluated to make a decision if we should include that in the default perfcet setup install or if its better to make a new general tutorial on techniques to secure php websites where we can explain in detail the pros and cons of the various options.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 19th October 2011 at 10:16.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
peterspoon (19th October 2011)
  #3  
Old 19th October 2011, 12:47
pititis pititis is offline
Senior Member
 
Join Date: Dec 2010
Location: München
Posts: 364
Thanks: 39
Thanked 90 Times in 68 Posts
Default

Modsecurity without rules don't help. It's very good mod. Impact on servers is usually memory, more rules more memory. Base rules are ok and memory use is acceptable. Ispconfig with open base restrictions, fastcgi and some php functions disabled is secure but again rfi, sql inyection, etc in some insecure aplications from any customer can be a disaster and that is because I use modsecurity.

Thanks for the report SamTzu!
Reply With Quote
  #4  
Old 19th October 2011, 19:01
erosbk erosbk is offline
Senior Member
 
Join Date: Mar 2011
Posts: 337
Thanks: 49
Thanked 36 Times in 30 Posts
Default

I tried http://www.mydomain.com/?content=../...elf/environ%00

and I could see the page normally without problem... no log entry in error.log... how can I check if I am protected against this?

Thanks in advance, I am not using mod_security yet
Reply With Quote
  #5  
Old 1st November 2011, 06:26
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 55 Times in 38 Posts
Send a message via Skype™ to SamTzu
 
Default

That link should give error message.
Easy way to fix the site is to use the .htaccess rule to prevent poison.
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with ispconfig 3 staff007 Installation/Configuration 4 10th October 2011 21:17
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 08:20
Site Skeletons rbartz Feature Requests 11 29th November 2008 16:07
I just need one website...... showe1966 Installation/Configuration 21 19th September 2007 23:20
Static Web Site Configurations christopher Installation/Configuration 8 18th November 2006 14:43


All times are GMT +2. The time now is 01:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.