Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - PHP - shared hosters, take note. InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PHP - shared hosters, take note.

Published: 2006-09-15
Last Updated: 2006-09-15 16:32:04 UTC
by Swa Frantzen (Version: 4)
0 comment(s)
PHP is a popular server side scripting language.

PHP's (security) settings are typically controlled from a php.ini file. This allows the system administrator to control settings such as such as safe_mode and open_basedir.

People managing shared hosting machines often control the settings on a more granular level in the apache configuration (httpd.conf) as they can set it there per directory and allow for the different hosted sites to have different settings.

This latter method of limiting scripts can be overcome from inside the scripts themselves. Details are trivially available.

So that leaves:
  • Control PHP settings from the php.ini file if possible;
  • If you are a shared hosting provider: check the CVS repository, reportedly the needed fixes have been checked in (unconfirmed);
  • Cross your fingers and wait for the next release of PHP (the current releases are reportedly affected).
CVE-2006-4625

update:

Stefan Esser from the hardened php project wrote in with a quick workaround: add "ini_restore" to the list of disabled functions in php.ini:                                                                              
disable_functions=...,ini_restore 
This is much easier than trying to find the fix in the source code till the next release of PHP.

While at it: those hardening scripts available at the hardened-php site should really be applied in a hosting situation. They protect against this vulnerability already. And perhaps a close look for the beta "suhosin" would not be a bad idea either.

If you are interested in securing PHP, you might also be interested in the PHP 6 comments and the Tip of the Day on php from Johannes.

update:

Steve wrote in to suggest that -in addition to disabling ini_restore- you might want to look at disabling ini_set as well.

--
Swa Frantzen -- Section 66 
0 comment(s)
Diary Archives