Securing PHP when any user can upload a vulnerable script


Results 1 to 4 of 4

Thread: Securing PHP when any user can upload a vulnerable script

  1. #1
    Join Date
    Jul 2003
    Location
    AK
    Posts
    429

    Securing PHP when any user can upload a vulnerable script

    I admin a server at my school that is owned and ran by the student union. Any student can go onto the server, sign up for an account with their student ID, and post webpages. For the students its a boon, for teachers who teach webdesign classes its a boon, but for me its a pain in the butt.

    The problem isn't with the students, per se. So far, I've only had a few problems, and they've been minor (people signing up for multiple accounts, posting 1 or 2 mp3s, nothing too big). However, several users have made... grave... mistakes uploading vulnerable scripts.

    One user uploaded a script that allowed any internet browser to upload any file (such as another script). Some people uploaded fake ebay pages, a text file with email addresses, and a script that parsed the email addresses and sent them links to the ebay pages - phishing at its best.

    The last one was an old version of phpBB that someone used to crack into the server and turn it into a DDOS bot (for a few hours, at least). It looked like a real scriptkiddie operation, and it was cleaned up, but now I'm left with making some decisions.

    Quite a few users enjoy being able to use PHP on the server, so I would hate to have to turn it off... Is there any way to secure the PHP so its not such a big issue? I hate to ask such a question here (such as its my job) but I'm really a newb when it comes to the details of admining a multiuser box, and am a bit out of my league here. Is there a simple way of fixing this?
    "...the TCO for the Windows Server System was about 20% less expensive than Linux."
    --Keith Morrow, CIO, 7-Eleven, Inc

    "We got to market 6 months faster, and saw 14 percent in cost savings over Linux."
    --Owen Flynn, CTO, Equifax, Inc

    Microsoft Server System, Get the facts!

  2. #2
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,936
    Hmm... maybe it would help to turn off register_globals?

    Many of the PHP-based vulnerabilities I've seen lately can be worked around by turning register_globals off. I have it off on my own PHP installation (... which needs to be updated, actually; there aren't any PHP scripts available from outside my network, but you never can be too sure), actually.

    It's not a magic fix for all badly-written PHP scripts, though. It'll only fix some kinds of errors and will only work against some kinds of attacks.

    There's also a gpc_magic_quotes setting that you could perhaps turn on, but I'm not entirely sure what it does. I think it does something with SQL and quoting (to prevent SQL injection attacks), but I don't know that for sure. I have it off, because I don't have any SQL client enabled for PHP. It won't fix all problems either, although it will (again) catch a fairly large class of them.

    Probably the best (as in: will catch the most stuff) way to fix this would be to have a script submission process. You'd need to either read through all the scripts that get submitted, or have somebody else do it, or split the work up, or something. So maybe it isn't worth it. (Although I would do it, if I had the ability to upload scripts to my machine.)

  3. #3
    Join Date
    Apr 2003
    Location
    Buenos Aires, Argentina
    Posts
    4,219
    Securing PHP: Step by Step

    I didn't read the whole thread, but maybe that link helps you? Hope it does.
    djserz.com.ar
    "All the drugs in this world won't save you from yourself..."

  4. #4
    Join Date
    Jul 2003
    Location
    AK
    Posts
    429
    Probably the best (as in: will catch the most stuff) way to fix this would be to have a script submission process. You'd need to either read through all the scripts that get submitted, or have somebody else do it, or split the work up, or something. So maybe it isn't worth it. (Although I would do it, if I had the ability to upload scripts to my machine.)
    Ha. That was offered as a solution almost word-for-word. Its not a bad idea, really, but not effective. I'm only paid for 10 hours a week, and there is no way I could catch all scripts and vulnerabilities. Stuff written by students wouldn't be too bad, but stuff like phpbb would kill me. When it first came out, there was no reason to believe there were any vulnerabilities, and I would have passed it for sure.

    The other options were great ideas, I'll spend some time reading and thinking... thanks guys!
    "...the TCO for the Windows Server System was about 20% less expensive than Linux."
    --Keith Morrow, CIO, 7-Eleven, Inc

    "We got to market 6 months faster, and saw 14 percent in cost savings over Linux."
    --Owen Flynn, CTO, Equifax, Inc

    Microsoft Server System, Get the facts!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •