Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. hiding my <b> from ur <strong>
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2004
    Posts
    959
    Rep Power
    181

    PHP Security and folder permissions


    So this could arguably go in the security section as well, but since it's PHP specific, I think there'd be more people here that would have experience w/ my question.

    It appears that a file is being placed now and then in some of my folders that are allowing hackers access to my system. This file is usually named "links.php" and basically installs a page detailing my system and allowing hackers to upload files onto it.

    My basic question is how the "links.php" file gets on my system in the first place. It always seems to be placed in a folder I've made 777 so that administrators can upload items into them, such as images or pdf files, via PHP scripts. This access is locked down by cookie, and there doesn't seem to be any particular holes anywhere that I've missed, which would allow access without the cookie.

    So my next thought is that someone has figured out what the cookie needs to be. Thing is, the PHP upload scripts typically automatically prepend the file types and file names that end up in the folder. For instance, when someone uploads a PDF file, it may take the current date and add .pdf on the end. So, through the system, the only filename that could be made would be something like "20100312.pdf". Not "links.php".

    Any thoughts of what security holes I could be missing? Any ideas for better protecting my folders generally? I've always seen that upload folders should be 777, but is that the case?

    Thanks much.
    ****
    Enjoy my post? Drop some props by hitting the scales button up top. JBL

    Website Design in Los Angeles and Washington, DC by PoweredPages.com
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,056
    Rep Power
    9398
    Look at the date on the file and compare that with what's in the server's access logs...
  4. #3
  5. hiding my <b> from ur <strong>
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2004
    Posts
    959
    Rep Power
    181
    Thanks Req,

    I'm not much of a server tech / Unix scripter but I can do this much I believe. I've deleted the files in question, but if / when another comes up, I'll note the exact date / time, then look for lines around that time in access.log, unless you mean something else. Thanks!
    ****
    Enjoy my post? Drop some props by hitting the scales button up top. JBL

    Website Design in Los Angeles and Washington, DC by PoweredPages.com
  6. #4
  7. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,056
    Rep Power
    9398
    That's right. The access log will show you the URLs that were requested. From there you can find out which scripts are being exploited (which is my first guess).
  8. #5
  9. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    t always seems to be placed in a folder I've made 777 so that administrators can upload items into them, such as images or pdf files, via PHP scripts
    1) Admins don't need 777.

    2) Don't keep images or PDF files in your web root and/or don't let files execute from the directories storing images or PDFs

    This access is locked down by cookie, and there doesn't seem to be any particular holes anywhere that I've missed, which would allow access without the cookie.
    If the cookie is all you're using, you're doing it wrong. The cookie should be a hash of the username, user-agent, and IP. That way, even if an attacker gets a hold of an admin cookie, it won't work.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  10. #6
  11. hiding my <b> from ur <strong>
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2004
    Posts
    959
    Rep Power
    181
    Thanks Maniac,

    Can you help me a bit further? This is a weak point for me undoubtedly that I'd like to shore up.
    1) Admins don't need 777.
    These are web administrators; clients I give access to. Is that still the case? If so, what should the permissions be? I know the standard permissions won't work (or else the file won't upload).

    2) Don't keep images or PDF files in your web root and/or don't let files execute from the directories storing images or PDFs
    I don't keep the images or PDFs in the web root. But please explain, how do I make sure that files can't execute from directories storing images/PDFs? Does that have something to do w/ the permissions above?

    The cookie should be a hash of the username, user-agent, and IP.
    Can you explain more about how I can go about doing this, or lead me to a resource? I can, of course, create a string value for the cookie which is a combination of those things, but that still is just a string, which they could technically eventually figure out. So I'm guessing that's not what you mean. I could also restrict to a certain IP, but I want my clients to be able to administer the site even if they're out of the office.

    Thanks so much.
    ****
    Enjoy my post? Drop some props by hitting the scales button up top. JBL

    Website Design in Los Angeles and Washington, DC by PoweredPages.com
  12. #7
  13. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,056
    Rep Power
    9398
    Hey hey, I'm still here

    0777 is a workaround to a problem, to which there are better solutions. If PHP is uploading to a directory and you changed it to 0777 so that it actually could, try this instead:
    1. Delete that directory. Don't forget to back up all the files someplace temporarily.
    2. 0777 the parent directory. If PHP uploads to /a/b/c then chmod 0777 /a/b.
    3. Have PHP create the upload directory. Leave the permissions as-is, or lock it down even further if you want (to 0700).
    4. Restore the permissions of the parent directory. Probably 0755.
    5. ???
    6. Profit. Don't forget to move the files back to the new directory.
    (If you have root access then the process is shorter and simpler.)

    Your clients shouldn't need access to the file system itself. If they do, give them a dedicated FTP directory with a dedicated FTP user.

    ---

    Files can onlyish execute if the web server executes them. And it will onlyish do that when the files are publicly accessible.
    Store your files outside the web root. That is, if your site is based out of /a/b/c then the files should not be anywhere in /a/b/c/*. Then make a script (you may use URL rewriting) that downloads or displays or whatevers the files. Even with HTTP caching such scripts are short.

    ---

    The cookie needs a hash of at least one of: a username, user ID, or other piece of data that is unique and not secret. Their password is not unique and definitely secretive so it does not qualify.
    Another good idea is to include a random string that you've stored elsewhere (eg, in your database). This is something nobody should know.
    You can (arguably should, depending on circumstances) include per-machine information. An IP address is unique on a large scale but not unique on a small scale; add a browser's user-agent string and you'll be pretty close to good.


    Cookies are there to prevent other users from logging in as somebody else. Nothing more. Being able to automatically log-in is a side effect.
    With that in mind, think about what data you're putting into the hash:
    - The username is there to guarantee uniqueness. Unfortunately hashes throw that away, but at least you know you're not starting with the same input each time.
    - The IP address is to limit the cookie's effectiveness to a small portion of the Internet. Someone down the block from me will probably not have the same IP address as I do; someone in another county, state, or country definitely will not. While IP addresses can be forged, it's of limited use: all they can do is send data - not receive it. (That is a reason for CSRF tokens.)
    - The user-agent helps to make the "small portion" even smaller. UA's typically have operating system information, some installed program information, locale, version strings... While certainly not unique, it's quite unlikely that the guy on the other side of the wall from me doesn't have same machine and browser configuration.

    When someone logs in using the cookie, you calculate what the cookie should be. If it matches, awesome. If not then they need to (re)authenticate.

    ---

    You can't prevent a well-planned attack on a user. But you can make it difficult enough to deter most people from attacking a large user base. That's your goal.
  14. #8
  15. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    Everything requinix said is right on the money, he's a smart guy.

    As for my comments, they're similar to what requinix was saying. You don't need 777 on a directory for PHP (or any specific user) to write files to that directory. The most you need is 600.

    Eliminating the ability to load/execute files from a folder might be something you can do with apache, I was kind of hoping requinix would be like "oh yeah, that's easy," he knows more about apache configs than I do.

    As for the cookie, what you want to do is make your cookie value an md5 of the user's name, ip, and user-agent with a pre-determined salt, one or more of those items also run through sha1 or str_rev or something to make it more confusing. Take the cookie from the user's headers, then perform the same hashing algorithm on the other data (username, IP, agent) and see if it matches the cookie. If it doesn't, kill the session, blow away their cookies, and kick them to a login page.

    -Dan
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  16. #9
  17. Permanently Banned
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Posts
    92
    Rep Power
    0
    Originally Posted by ManiacDan
    Everything requinix said is right on the money, he's a smart guy.
    Requinix is a guy???

    @daprezjer - the fact is that there are many web hosts out there whose servers are so badly set up that PHP does need 777 permissions to do the things you are doing.

    Best advice is to find a new web host, pronto.
  18. #10
  19. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,056
    Rep Power
    9398
    Originally Posted by Backslider
    Requinix is a guy???
  20. #11
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    2
    Rep Power
    0

    Php open source paltform for web development


    Yes i totally agree that PHP is the bst web development open source language that has made a storm , its very secure and can get well with java also
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    3
    Rep Power
    0
    thanks...
  24. #13
  25. Permanently Banned
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Posts
    92
    Rep Power
    0
    Originally Posted by requinix
    Well who would have guessed with the effeminate avatars and that fact that you regard Northie as your "territory"?

    And to give a warning for this or the previous post is just an abuse of moderator priviledges... you guys all need to take a rest, learn a sense of humour, and stop abusing forum members.....

    Comments on this post

    • ManiacDan disagrees : Requinix isn't the only mod who doesn't like you. Welcome to the end of my vacation.
  26. #14
  27. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,056
    Rep Power
    9398
    Not that I feel a need to explain myself to you, but I edited that post so other mods would know that I had dealt with the reported issue.

    I'm this close to temp banning you. You have been a jackass to the people around you and I think it's about time you took a rest. I've tried to be nice, tried to explain things, and tried not to warn you. Now you're resorting to ad hominem attacks.

    I'm making this warning public for everybody to see: no more flames. The next one will get you a respite from DevShed.
  28. #15
  29. Permanently Banned
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Posts
    92
    Rep Power
    0
    The fact is that in the time that I have spent on these forums, three prominent moderators, including you, make a sport of giving forum members a hard time. Toward me, only because I say something about it.... toward others you guys have been far worse.

    You need to spend some time to read back through some of your own posts and those of other moderators to see that your own behaviour toward people is deplorable.

    Everything to you is an "attack". How paranoid is that. The fact that you feel the need to "mark your territory" just because you don't like a response I gave to a moderator who was being both high and mighty and ridiculous just shows that it is you that needs a break from moderator duties. You don't seem to have an inkling of what your job should really entail.

    There has been nothing in any of my posts that breaks the rules of these forums. Show me ONE flame? I can quickly show a dozen by you. The only problem is your own paranoid interpretation or the fact that your horse is just way too high.

    Public is as public as you wish.
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo