Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #71  
Old 6th February 2006, 02:17
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

Quote:
Originally Posted by till
IIf you use suexec + cgiphp or suphp, the cms runs under the username of the web admin and not the apache user, so these problems dont exist and the directories must not be world writable.
Yes I confused me. Any drawbacks from running with those moduls? Would I have to change something in the cms installer or is it just like an apache config? Would some cms stop running? I have never used those modules. Thanks.

Note: There is another post to webstergd before this one

Last edited by danf.1979; 6th February 2006 at 02:20.
Reply With Quote
Sponsored Links
  #72  
Old 6th February 2006, 05:31
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Default

possible idea...

do we have a folder or group in cvs for mod's or extra's? Might be easier for people to help with? Especially with tortoiseSVN that program is awesome...thanks for teh recomendation till.

Would it be wise to make a closed forum that only developers can read and access? We could use this for for security fixes and questions of that nature. Might be wise to restrict this to select developers who are active or "trusted."

And dude I am so looking fwd to your mod. I think it will be a huge boost for ispconfig. WAY TO GO!
Reply With Quote
  #73  
Old 6th February 2006, 10:54
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

Hi again. I just staring at the code right now and got a little scared with the function that deletes directories from a cms created installation.
PHP Code:
    function _do_delete() {
        if ( 
is_array($this->do_delete) ) {    
            foreach (
$this->do_delete as $value) {
                
system("rm -rf ".$this->path_to_create."/".$value);
            }
        }
    } 
do_delete is an array of directories to delete: $cms_install->do_delete = array("dir1/", "dir2/");
How can I be absolutely secure that I will *never* delete my entire disc?
I do define do_delete only in the script and there is no $_POST var involved, but this could not be the case in the future.
For example, could I force that all directories to eventually delete *must* be inside, for example, in /var/www/web[ID]/web/ ? (I know it can be other document root too) but just for simplicity

Last edited by danf.1979; 6th February 2006 at 11:03.
Reply With Quote
  #74  
Old 6th February 2006, 11:41
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Default

you were correct in your fear. I am not sure what rights the function would be granted but it could still be a big problem.

This solution is from the top of my head with only given it a few min through so check it with Till or Falko but here is how I would make it more secure:

instead of the $value holding the directory you could use $value as a number. Then the number would triger an if statement that would then delete the coresponding directory.

i.e.
Code:
lets say $value = 2;

if( value == 1)
remove rf /var/www/web[id]/web/joomla/

else if(value == 2)
remove rf /var/www/web[id]/web/phpbb2/

else
error message
only problem with this is that web[id] would need to be properly checked to make sure it only includes proper characters ([A-Z][a-z][0-9] and I believe '_' check with Till) Have the statement die on any other values detected. Few other checks might be wise to run on web[id]. Till would be your best man to ask about the functions provided by php for this.

I still dont like web[id] in there but for simplicity sake I am not going to worry.



Later to make it easier to update you could place the list of directories in a static, readonly, config file and have the program read them and place them in a static array. still need to check the values but this should make it easier to update.

Last edited by webstergd; 6th February 2006 at 11:44.
Reply With Quote
  #75  
Old 6th February 2006, 12:24
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,495
Thanks: 835
Thanked 5,534 Times in 4,352 Posts
Default

I think the approach from webstergd is more secure. The [ID] from web[id] is always an integer. You can check this either with an regex, e.g. "/^[0-9]{1,10}$/" or you use the fact that a valid [ID] cant be 0, so if you use somthing like $id = intval($id); will convert $id to an valid integer or will result in 0, which is harmless and can be easy filtered by if($id > 0) {....

For even more security, you might check every path right before the exec statement if it:

1) Starts with the web docroot (/home/www/ or /var/www or whatever is set in the isp_server table as root directory for the websites.
2) Does not contain 2 dots ".."
3) does contain only valid path characters. E.g. not "|<>;" and is escaped by escapeshellcmd.

Why this extra security?. The CMS installer might be extended later that it installs packeges build by external poeple / projects. If then someone builds a harmful or only lazy build package we must try to limit the possible damage as much as posiible.

Or am i too paranoid ?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #76  
Old 6th February 2006, 23:40
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

Ok, I'm using this now:
Code:
    function _do_delete() {

	$httpd_root = "/var/www"; # This will be taken from isp_server

	if(stristr($this->path_to_delete, $httpd_root."/web".$this->web_id) == TRUE AND stristr($this->path_to_delete, "..") == FALSE){
			if ( is_array($this->do_delete) ) {    
				foreach ($this->do_delete as $value) {
					print "rm -rf ".$this->path_to_delete."/".$value."<br>";			
					//system("rm -rf ".$this->path_to_delete."/".$value);
        				}
				}
			}
	else {
		echo 'Access denied.';
		}
	}
I dont know what do you mean by this Till: ...and is escaped by escapeshellcmd.
Thanks both.
Reply With Quote
  #77  
Old 7th February 2006, 01:37
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Default

ehh better but still has a lot of holes.

I agree with Till on all his security points and he is a much better php programmer then I am. However, I do not feel his solution will patch all the holes in this statement.

for example:
if a users submits .../../../ he will still be able to transverse the directory. The system matches two .. not three. Called triple-dot vulnerablility.

If a hacker sends the command /var/www/.../../../../../etc/passwd you will have the password file.

Next example is that if hacker uses multiple alternate encodings for text in order to bypass the filters the filters will not flag.

/var/www/%25%25/%25%23/%25%25 ...... using URL
/var/www/%C0AE/%C0AE/%C0AF ......... using unicode

ok, I am tired so i will stop with the examples...

basicly my fear is that it is almost impossible to properly search for phrases that are not allowed. Using different encoding tricks or really just playing around you could eventully find a loophole. I am a firm believer on stating what a function can do verses what I function cannot do.

if I have time later tonight I will think of possible ways to do this that could solve your problem and make the program easier. Might not be as efficient as my original idea but should be just as secure and a hell of a lot easier to program.

SORRY TILL!!! YOU ARE STILL MY HERO!!!

Last edited by webstergd; 7th February 2006 at 05:45.
Reply With Quote
  #78  
Old 7th February 2006, 05:56
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Default

possible other solution way to "secure" your statement

$value will return a url ... for example purposes we will say /var/www/web[id]/cms

you could take the variable from $value and match the string exactly with a preset string. If data isn't exact, kill the function.

Code:
if ($value == /var/www/web[id]/cms)
rm -rf /var/www/web[id]/cms
else if ($value == /var/www/web[id]/joomla)
rm -rf /var/www/web[id]/joomla
else
die
in our example the first if statement will return true and
Code:
"rm -rf /var/www/web[id]/cms"
will execute.

if
Code:
$value = /var/www/web[id]/cms/"insert something bad here"
the command will not execute and you are safe.

This method will be slower and less efficent then checking the given variables. However, you will not be able to execute a command you might not want to execute such as..

"rm -rf /var/www/web[id]/cms/../../../../../../../../../../../"
which is equal to "rm -rf /"

This solution is also not flexable but we could change that around later by adding how it checks. such as a searching through a static array of possible values. We could build the static array through a read only config file.
Reply With Quote
  #79  
Old 7th February 2006, 12:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,495
Thanks: 835
Thanked 5,534 Times in 4,352 Posts
Default

Quote:
Originally Posted by webstergd
ehh better but still has a lot of holes.

I agree with Till on all his security points and he is a much better php programmer then I am. However, I do not feel his solution will patch all the holes in this statement.

for example:
if a users submits .../../../ he will still be able to transverse the directory. The system matches two .. not three. Called triple-dot vulnerablility.

If a hacker sends the command /var/www/.../../../../../etc/passwd you will have the password file.

Next example is that if hacker uses multiple alternate encodings for text in order to bypass the filters the filters will not flag.

/var/www/%25%25/%25%23/%25%25 ...... using URL
/var/www/%C0AE/%C0AE/%C0AF ......... using unicode

ok, I am tired so i will stop with the examples...

basicly my fear is that it is almost impossible to properly search for phrases that are not allowed. Using different encoding tricks or really just playing around you could eventully find a loophole. I am a firm believer on stating what a function can do verses what I function cannot do.

if I have time later tonight I will think of possible ways to do this that could solve your problem and make the program easier. Might not be as efficient as my original idea but should be just as secure and a hell of a lot easier to program.

SORRY TILL!!! YOU ARE STILL MY HERO!!!
I dont think that your examples will trick the filters i mentioned above:

If you have a hard coded path "/var/www/web[id]/cms" where [id] is checked / converted with the intval command or an regex and then it is passed to my filters, i dont see how this can be exploited easily. To the filters:

1) The double dot filter filters also three and mor dots when you search with stristr(...) function.

2) The filter for unallowed chars must list escape sequences too, like "%#" and others. I mentioned in my post only a few characters.

My solution was to use the solution you posted with web[id] as first "firewall" and then double check the string for malicious chars as second check before it is used in the exec statement.

The problem that i see is when we use only your type of path checking without a second "firewall", where do we get the string "/var/www/web[id]/joomla" from when the joomla package comes from an external package builder? The path string must be included in the package. If we want to have third party packages we either have to allow only "thrusted" packages where a developer from ISPConfig inspects every revision for malicoius code or we have to try to make even the installation from third party packages as secure as possible?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #80  
Old 7th February 2006, 20:01
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Sorry Till! I miss read the post thinking it was your post verses Dan's. After reading your filters I do see your point, I appologize.

I cannot find any flaws in your web[id] filter.

I have your same fear with my filter. If it is done correctly it would be hard to allow others to expand on or allow updates. I would be time consuming to force a check for every revision of the cms's we support. However, would it be unwise to provide trusted cms packages on the website?

Complete judgement call on your part.


However, my concern was with $value. I believe holes can be punched through the filters for $value. I need to read the php documentation or ask a friend to make sure about this. But, I beleive escapseshellcmd() in php only filters single characters not double

ie
% will be kicked out but
%% will return only a single %
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 02:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.