[Lincs] lug.org.uk has been compromised! (Programing exploitsinto your own systems for Dummies part #207)

saman at meninpc.co.uk saman at meninpc.co.uk
Tue Nov 23 20:53:32 GMT 2004 

One solution to such problems are running PHP scripts as the owner of the
file (which obviously wan't done on lug.org.uk). It is common practice to
use "suPHP" or "suEXEC" on production servers to do this, which also hase
more benefits that the security one.

Original Message:
-----------------
From: James Taylor jt at imen.org.uk
Date: Tue, 23 Nov 2004 20:27:26 +0000
To: lincs at mailman.lug.org.uk
Subject: Re: [Lincs] lug.org.uk has been compromised! (Programing
exploitsinto your own systems for Dummies part #207)


We welcome you to another great episode of PEIYOSFD #207 - the one where...

>
> You won't be able to prevent this kind of exploit on any other server, 
> because it has to do with secure php programming. If you host 
> different domains and web pages there will always be a security hole 
> caused by a user somewhere.
>
Sorry, I saw this discussed on another branch of this thread and thought 
I aught to demonstrate stupidity at work:

if i where to program the PHP script (to allow me to see what files i 
have on the computer):

<?
 if($go == 1){

   echo `ls $splat`;

 }?>

<hr />
<form action="thisbadscript.php">
 <input name=go value=1type=hidden>
 <select name="splat">
   <option value="\home\jt\">Home</option>
   <option value="\home\jt\DeepDown">DeepDown</option>
 </select>
 <input type="submit">
</form>

Now on the surface what that does is let me select one of the directorys 
then it provides above the rule a list of all the files in that 
directory. Unfortunatly, it also allows much worse: if I pass the url:

http://example.com/mybadscript.php?splat=\etc\

Then I get a list of \etc, becasue afterall, all programs need to be 
able to see files in etc and :. it has to be public.

It gets worse:

If I pass the url:

http://example.com/mybadscript.php?splat=\etc\;cat \etc\passwd

This is even worse - it not only lists, it actually echos the user file 
(thankfully we all use shadow passwords)

This is all due to bad programming. Basically the mistake was made in 
allowing information that is included in the executed line to be passed 
through the post - if I wanted to write this same application safley I 
would write it in nearly the same style but like this:

<?
 if($go == 1){
   $array[1] = "/home/jt";
   $array[2] = "/home/jt/DeepDown";

   $cmdstring = "ls ". $array[$splat];

   echo `$cmdstring`;

 }?>

<hr />
<form action="thisbadscript.php">
 <input name=go value=1type=hidden>
 <select name="splat">
   <option value="1">Home</option>
   <option value="2">DeepDown</option>
 </select>
 <input type="submit">
</form>

In this instance, all the information is stored in the script, and is 
un-touched by the outside post. The post value allows the selection of 
which ones I have programmed, not arbitually chosen from the outside world.

Things get worse with bad system admins - Square Internet ( the whole 
reason why we're now doing service provision ) ran a web admin system 
which allowed the addition and removal of users, as well as other stuff. 
This meant that to make it work, the idiot admins set the shadow file to 
being readable by www-data. And writeable.

So idiots applying data and scripts (especially if they are learning how 
to program) can cause secuity holes on your systems. Everyone reading 
this should never make this mistake now as youve seen it. You should 
consider at all points when reading data in from the outside whether or 
not the data is contaminated - not only does it contain relevant values, 
(ie a number or letter when you want a number or a letter not the other 
way around) but also what if the user is trying to spoof your systems or 
just break them.

In real systems you should never be taking data in one end and piping it 
straight through to a shell or to another system (for instance straight 
into an SQL statement). There are alterntives, and even if you do need 
to allow the user to input data which will appear on your ending 
statement, then you can construct a function to "clean" it first (for 
instance check for spaces or ";" and \'s.)

/me bows and exits quickly to stage left
ps is it irc night tonight? cause its scarily empty...

_______________________________________________
Lincs mailing list
Lincs at mailman.lug.org.uk
http://mailman.lug.org.uk/mailman/listinfo/lincs


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

More information about the Lincs mailing list