hacking with php shell

[lvalics]

I think you can prevent this for the moment with a checking of files. So when people try to upload this package, you just restrict that folder usage. Is not a best way, but still work I think.
Also if you use mod_security maybe suhosin, this can help as well as a security layer

I did not checked this but I think is not quite possible even if is safe mode OFF to bypass the folders, because open_basedir.

 

[IgorG]

Still no any news from developers.

 

[danliker]

I think you can prevent this for the moment with a checking of files. So when people try to upload this package, you just restrict that folder usage.

it is not a problem of this package, this was only an example to see the bug.

the bug is in the config files that plesk generates!

 

[lvalics]

You can always disable some dangerous functions like exec, shell_exec and so on.
We always do this.

 

[danliker]

lvalics, i think you not understand the problem ....

if you use php as FastCGI-Application under centos open_basedir is not set...
because of this you have access to nearly all files on the server....

http://www.php.net/manual/en/ini.core.php#ini.open-basedir

 

[danliker]

any news on this ?

it is realy a security problem !

 

[IgorG]

Is it actual for 9.5.2 with http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-pci-compliance-guide/ ?

 

[danliker]

yes it is present in 9.5.2

we not use http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-pci-compliance-guide/

 

[danliker]

can i please have the request id of your request on Mar 17, 2010, 06:06 AM ?

 

[IgorG]

#36435. Plesk hacking with php shell

 

[IgorG]

Well. There is no any problem with security.
If you have PHP as module it works with apache user and all vhosts dirs with 750 permission are accessible. Therefore safe_mode should be enabled.
If you have PHP as CGI it works with ftpuser and this user has access only to his directory.

 

[Claranet Support]

Hello IgorG,

Although there is "no problem" with security for you, it is pretty unconfortable to be able to access almost all the server.

For example, we installed GNY Shell and c99 scripts and we are able to access even the /etc/passwd file, i mean common, for a curious hacker all you have to do is find all the users and just Brute force, or easily find the Daemon Versions, explore the Bugzilla and the vulnerabilities.

Imagine you're a Sys Admin for a Web Hosting Company and some of your websites require FastCGI for running, and you know that FastCGI has no open_basedir restriction, you can read all files on your server. How would you feel ?

I'm just expressing my point of view of the problem.

Thank you

 

[atomicturtle]

indeed you can do this with cgi-bin, ruby,perl, and SSI to name just a few others. When we were designing plesk originally this was a major concern, and php was then the only technology out there that could enforce any kind of controls inside the module itself.

Unfortunately this is the nature of the way the web server has to work, and there is no single silver bullet solution to address that nature of attack. The way we address this in ASL is to layer multiple classes of security controls, some look for the malicious code, others are designed to disrupt it, and still others are designed to filter the output when all else fails.

 

[Claranet Support]

Hello Atomic,

If Parallels upgrades psa-mod_fcgid to the lastest version, this wouldnt happen, because currently the mod_fcgid (non-psa package) supports arguments. The only way of restraining the open_basedir in FastCGI is putting a php.ini for each vhost, but that would be a lot harder to do.

 

[atomicturtle]

mod_fcgid 2.3.5 is available in the atomic repo.

 

[Claranet Support]

Hello Atomic,

But if i install that package, i stop having control of it from Plesk and somehow httpd starts acting weird...

 

[atomicturtle]

You have to have psa-mod-fcgid-configurator installed to manage fcgi from plesk. If you have more specific questions on fcgi & apache you might want to ask in the atomic forums. Theres a much more involved community there.

 

[Hultenius]

Plesk 9.5 has a cgi-wrapper that can be used to add open_basedir security.

$ vim /var/www/cgi-bin/cgi_wrapper/cgi_wrapper

The file should look something like this:

#!/bin/sh
HOMEDIR=`grep ":$UID:" /etc/passwd | cut -d: -f6`
ARGS="-d open_basedir=$HOMEDIR/httpdocs/"
exec /usr/bin/php-cgi $ARGS

I haven't tested this enough, so be careful.