[PHP] security issues on shared servers
I run a PHP-based Web site hosted on a shared UNIX server provided by a pretty standard Web hosting company -- as I imagine do many people. There are a lot of users on this server, and I know nothing about them. Apache (and thus PHP) generally runs as www or nobody, so although each user on this shared server has a separate account, all PHP scripts run as the same user. As such, I have a few security concerns: 1. I restrict access to certain portions of my site, either with .htaccess/.htpasswd files or with a PHP equivalent. This works fine for anyone using a Web browser, but it leaves a security hole: One can write a PHP script that circumvents the Apache access restrictions, either by calling a UNIX shell command (using passthru(), backticks, etc., only some of which are blocked on my server), or, more disturbingly, by using the include command. Using either of these methods in a publicly available page can circumvent htaccess- or PHP-based authorization and output the contents of a supposedly restricted file, _including_ a file in another user's Web site. 2. I am working on a PHP script that allows users to upload images, view them, and ultimately send them over email. All the problems listed in (1) apply, but in addition, these images' owner is www or nobody, the user PHP runs as. As such, not only could other users on the same shared server view these uploaded files, they could modify or delete them through a PHP script, and it doesn't matter what I set the access privileges to with chmod(), since they can call chmod() on the files themselves. Now, I can run a checksum at upload time and verify it later on to ensure that uploaded files haven't been changed. But that might still leave a few seconds (between upload and checksum) during which a file could be altered, and doesn't protect against deletions. Both (1) and (2) are disturbing to me, since if I'm protecting a portion of my site I don't want several hundred random people (whose only qualification is that they purchased Web space at the same company I did) to have access to it. Is there any way, short of a dedicated server or a wholesale switch to another server-side language, to avoid these problems? Thanks. --Dave -------- -- David Feldman User Interface Designer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security issues on shared servers
Thanks. Looks like a properly configured safe mode could eliminate a lot of problems. A few follow-up questions: 1. I see in the PHP doc comments a patch for Apache (http://luxik.cdi.cz/~devik/apache/) that runs different virtual hosts as different users. Anyone know anything about it, in terms of safety, effectiveness, stability, speed? 2. With safe mode enabled and all shell-access functions disabled through disabled_functions, it looks like most to all of problem (1) in my original email would be eliminated. But how do you specify the backtick operator in disabled_functions? --Dave On Tuesday, February 18, 2003, at 09:27 PM, Jason Sheets wrote: If your hosting provider has enabled safe mode then others can not include scripts that have a different uid than the owner of the current script, that prevents them from including your code. As far as the files go you could checksum them or if you are honestly concerned about them being changed store them in your database where only you have write access, the problem with that is that for your application to connect to your database it must know the db password, if the other users have shell access they can read your applications source code and connect to your db as your application. Bottom line, safe mode makes PHP a lot safer in multi user environments but you are always going to be exposed when you go with a multi user environment. Any programming language/application encounters these problems when introduced into a large multi user environment, switching programming languages would not alleviate these security issues. On Tue, 2003-02-18 at 15:49, David Feldman wrote: I run a PHP-based Web site hosted on a shared UNIX server provided by a pretty standard Web hosting company -- as I imagine do many people. There are a lot of users on this server, and I know nothing about them. Apache (and thus PHP) generally runs as www or nobody, so although each user on this shared server has a separate account, all PHP scripts run as the same user. As such, I have a few security concerns: 1. I restrict access to certain portions of my site, either with ..htaccess/.htpasswd files or with a PHP equivalent. This works fine for anyone using a Web browser, but it leaves a security hole: One can write a PHP script that circumvents the Apache access restrictions, either by calling a UNIX shell command (using passthru(), backticks, etc., only some of which are blocked on my server), or, more disturbingly, by using the include command. Using either of these methods in a publicly available page can circumvent htaccess- or PHP-based authorization and output the contents of a supposedly restricted file, _including_ a file in another user's Web site. 2. I am working on a PHP script that allows users to upload images, view them, and ultimately send them over email. All the problems listed in (1) apply, but in addition, these images' owner is www or nobody, the user PHP runs as. As such, not only could other users on the same shared server view these uploaded files, they could modify or delete them through a PHP script, and it doesn't matter what I set the access privileges to with chmod(), since they can call chmod() on the files themselves. Now, I can run a checksum at upload time and verify it later on to ensure that uploaded files haven't been changed. But that might still leave a few seconds (between upload and checksum) during which a file could be altered, and doesn't protect against deletions. Both (1) and (2) are disturbing to me, since if I'm protecting a portion of my site I don't want several hundred random people (whose only qualification is that they purchased Web space at the same company I did) to have access to it. Is there any way, short of a dedicated server or a wholesale switch to another server-side language, to avoid these problems? Thanks. --Dave ---------- -- -- David Feldman User Interface Designer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] online tutorial
I originally learned PHP from the section in O'Reilly's book, Webmaster in a Nutshell. I did have extensive prior programming experience though. Since then, the PHP online manual has been more than sufficient. --Dave On Wednesday, February 19, 2003, at 07:10 AM, Awlad Hussain wrote: http://www.devshed.com http://www.phpfreaks.com Search Google -> "PHP Tutorials" - Original Message - From: "DIKSHA NEEL" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 19, 2003 11:50 AM Subject: [PHP] online tutorial dear all, i am a final year engineering student and have started studying PHP since last 10 days. can anybody suggest some good online tutorial for mastering PHP? regards, diksha. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security issues on shared servers
OK, my question #2 below is answered by the docs: Safe mode disabled the backtick operator. But having turned on safe mode on my local test server, I have another question: Suddenly my include statements that user relative paths don't work. For example: include "/absolute/path/to/include/file.php"; works fine, but include "include/file.php" doesn't. I don't see anything in the docs about this...what's going on? Thanks again, --Dave On Wednesday, February 19, 2003, at 08:03 AM, David Feldman wrote: Thanks. Looks like a properly configured safe mode could eliminate a lot of problems. A few follow-up questions: 1. I see in the PHP doc comments a patch for Apache (http://luxik.cdi.cz/~devik/apache/) that runs different virtual hosts as different users. Anyone know anything about it, in terms of safety, effectiveness, stability, speed? 2. With safe mode enabled and all shell-access functions disabled through disabled_functions, it looks like most to all of problem (1) in my original email would be eliminated. But how do you specify the backtick operator in disabled_functions? --Dave On Tuesday, February 18, 2003, at 09:27 PM, Jason Sheets wrote: If your hosting provider has enabled safe mode then others can not include scripts that have a different uid than the owner of the current script, that prevents them from including your code. As far as the files go you could checksum them or if you are honestly concerned about them being changed store them in your database where only you have write access, the problem with that is that for your application to connect to your database it must know the db password, if the other users have shell access they can read your applications source code and connect to your db as your application. Bottom line, safe mode makes PHP a lot safer in multi user environments but you are always going to be exposed when you go with a multi user environment. Any programming language/application encounters these problems when introduced into a large multi user environment, switching programming languages would not alleviate these security issues. On Tue, 2003-02-18 at 15:49, David Feldman wrote: I run a PHP-based Web site hosted on a shared UNIX server provided by a pretty standard Web hosting company -- as I imagine do many people. There are a lot of users on this server, and I know nothing about them. Apache (and thus PHP) generally runs as www or nobody, so although each user on this shared server has a separate account, all PHP scripts run as the same user. As such, I have a few security concerns: 1. I restrict access to certain portions of my site, either with ..htaccess/.htpasswd files or with a PHP equivalent. This works fine for anyone using a Web browser, but it leaves a security hole: One can write a PHP script that circumvents the Apache access restrictions, either by calling a UNIX shell command (using passthru(), backticks, etc., only some of which are blocked on my server), or, more disturbingly, by using the include command. Using either of these methods in a publicly available page can circumvent htaccess- or PHP-based authorization and output the contents of a supposedly restricted file, _including_ a file in another user's Web site. 2. I am working on a PHP script that allows users to upload images, view them, and ultimately send them over email. All the problems listed in (1) apply, but in addition, these images' owner is www or nobody, the user PHP runs as. As such, not only could other users on the same shared server view these uploaded files, they could modify or delete them through a PHP script, and it doesn't matter what I set the access privileges to with chmod(), since they can call chmod() on the files themselves. Now, I can run a checksum at upload time and verify it later on to ensure that uploaded files haven't been changed. But that might still leave a few seconds (between upload and checksum) during which a file could be altered, and doesn't protect against deletions. Both (1) and (2) are disturbing to me, since if I'm protecting a portion of my site I don't want several hundred random people (whose only qualification is that they purchased Web space at the same company I did) to have access to it. Is there any way, short of a dedicated server or a wholesale switch to another server-side language, to avoid these problems? Thanks. --Dave --------- --- -- David Feldman User Interface Designer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] safe mode not working
I've enabled safe mode on my local test server, but it doesn't seem to be working. If I run a script owned by one user (me), and within it include (using include()) another script or file owned by another user, the include is successful, whereas it shouldn't be in safe mode. I can verify through phpinfo() that safe_mode is on. And the problem occurs whether safe_mode_include_dir remains unset or set to an empty directory. Any ideas? Thanks, --Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] sending uploaded images as mail attachments
I'm working on a script that allows the user to upload several images, then base64 encodes them and attaches them to an email to me. I'm having trouble getting the images readable on the other end. I've managed to get all the MIME types and message parts straight enough to be recognized as separate parts and as files of the proper types (though mostly by trial and error, and it's not quite working 100% yet), but the images aren't readable. Can anyone help? Is there an example somewhere? I'm guessing I'm just not formatting the email or inserting the encoded images quite right. Thanks. --Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: sending uploaded images as mail attachments
Thanks. I'll take a look at it. It seems, though, as if the basic PHP installation with the mail() function and base64 encoding support ought to be able to do this without the need for such an extensive API. As I said, I've got the mail to the point where all the different parts are recognized as such, but the images themselves are corrupted. I took a look at the actual base64 code generated by my script and compared it to the same image, base64-encoded by my regular email program, and the two are markedly different. Any thoughts? --Dave On Wednesday, February 19, 2003, at 12:29 PM, Philip Hallstrom wrote: http://www.phpguru.org/mime.mail.html makes it pretty easy. On Wed, 19 Feb 2003, David Feldman wrote: I'm working on a script that allows the user to upload several images, then base64 encodes them and attaches them to an email to me. I'm having trouble getting the images readable on the other end. I've managed to get all the MIME types and message parts straight enough to be recognized as separate parts and as files of the proper types (though mostly by trial and error, and it's not quite working 100% yet), but the images aren't readable. Can anyone help? Is there an example somewhere? I'm guessing I'm just not formatting the email or inserting the encoded images quite right. Thanks. --Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] safe mode on Mac OS X?
More safe mode questions: I'm using the standard binary distribution of PHP on Mac OS X -- the one managed by Marc Liyanage, not the one that ships with OS X -- and can't seem to get safe mode working. I can turn it on and it doesn't generate any errors, but it doesn't restrict access to files as it should either. If I do a phpinfo(), I can see that the safe_mode variable is set to On, but I don't see anything in the compiler directives at the top about it, whereas there is an --enable-safe-mode item in the compiler directives on my Web hosting company's PHP installation (though safe_mode is set to Off there). Does anyone know if safe_mode works in this binary OS X install of PHP? Do I need to compile my own? Thanks, --Dave -- David A. Feldman User Interface Designer [EMAIL PROTECTED] http://InterfaceThis.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] accessing protected remote files
I have a script that needs to open a remote file on another Web server, which may or may not be protected (for example, by an htaccess file). What would be the best way to check if it's protected, and if so, prompt the user for username and password to open it? Thanks. --Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] accessing protected remote files
That's what I thought too, but it's not happening...fopen() is simply returning an error. --Dave On Monday, March 31, 2003, at 09:35 AM, [EMAIL PROTECTED] wrote: Assuming you are retrieving this file via http/https then it's really the remote server that will enforce the access control in whatever manner is uses. I.e., if your script tries to open a file whose access is controlled by a .htaccess file (and http-basic authentication) the user will simply get the authentication prompt when they access your page/php script. -- Original Message ------ From: David Feldman <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Monday, March 31, 2003 09:13:00 AM -0500 Subject: [PHP] accessing protected remote files I have a script that needs to open a remote file on another Web server, which may or may not be protected (for example, by an htaccess file). What would be the best way to check if it's protected, and if so, prompt the user for username and password to open it? Thanks. --Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- End Original Message -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] accessing protected remote files
How would that work? --Dave On Monday, March 31, 2003, at 09:27 AM, Marek Kilimajer wrote: You need to use socket functions and check the response headers David Feldman wrote: I have a script that needs to open a remote file on another Web server, which may or may not be protected (for example, by an htaccess file). What would be the best way to check if it's protected, and if so, prompt the user for username and password to open it? Thanks. --Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] XSLT not doing anything
I'm trying to get the XSLT extension working, and all I can get it to do is echo the source XML back to me. I'm using sample markup from O'Reilly's XSLT book as my XML and XSL files, as follows: hello.xml: Hello, world! hello.xsl: http://www.w3.org/1999/XSL/Transform"; version="1.0"> My PHP code is in index.php: $proc = xslt_create(); $result = xslt_process($proc, "hello.xsl", "hello.xml"); xslt_free($proc); echo $result; ?> All three files are in the same directory. I'm running on Mac OS X using Marc Liyanage's precompiled PHP binary, which includes the XSLT extension. It seems to be running, since if I intentionally introduce a typo I get Sablotron errors written to the browser window. But otherwise the output is simply the original hello.xml's markup, with a character encoding added. I'm new to XSLT so I may be overlooking something simple. What am I doing wrong? Thanks, --Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
