[PHP] apache security
Hello. I think nobody had send this warnig to the list. Sorry if you already nows. This text is from the apache web: SECURITY ADVISORY Versions of the Apache web server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. This bug can be triggered remotely by sending a carefully crafted invalid request. This functionality is enabled by default. In most cases the outcome of the invalid request is that the child process dealing with the request will terminate. At the least, this could help a remote attacker launch a denial of service attack as the parent process will eventually have to replace the terminated child process, and starting new children uses non-trivial amounts of resources. We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory. Please note that the patch provided by ISS does not correct this vulnerability. The Apache Software Foundation has released versions 1.3.26 and 2.0.39 to address and fix this issue. These version are available for download; see below. Josep R. Raurell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP/Apache security question : bugtraq, suExec etc
Hi, I follow bugtraq and recently there was a thread regarding safe_mode of php and how to "break" it. The thread was killed without a conclusion to where this is really a new threat or the same problem (scripts executed with sage uid/gid of the web server). So, I was wondering if the php-dev team has already reached a veredict. I recently saw a post about the use of suExec and I'd like to know the performance impact and is there anything php could do to make such thing easier (perhaps this is more an apache issue). Up to now all my virtual domains have used safe_mode, openbase_dir and document_root settings limiting the access to files/scripts located under the virtual directory and no access to override the settings with a .htaccess. Is this secure "enough" ? My major concern is the hability to upload a php code (using ftp), some c files of a local exploit, compile it and execute as apache... thanks. __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP/Apache security question
if the script is running as user "scott" group "scott", then it can only alter/read/execute files that the user "scott" has access to... nothing else. of course, if you have user "scott", group "users", and have user "tom" in group "users", then any files that have the group read/write/exec permissions set could possibly be "vulnerable" to other user's scripts. > -Original Message- > From: Aaron Bennett [mailto:[EMAIL PROTECTED]] > Subject: RE: [PHP] PHP/Apache security question > > Does anyone know if SuExec plays "friendly" with PHP? From my recollection, > when using suexec, it only alters the current UID/GID for scripts executed > by httpd. Does PHP get treated the same way as would say a perl cgi script? > > I've looked a little at how phpwebhosting.com does it, and they set each > user to their own unique primary group, and are (i believe) using suexec in > their apache config setting each VirtualHost with their respective user and > group... But does that really 'secure' everyone's code from other equally > privileged users? :-? > > -- > Aaron Bennett > [EMAIL PROTECTED] > > > -Original Message- > From: ..s.c.o.t.t.. [mailto:[EMAIL PROTECTED]] > Sent: Saturday, July 07, 2001 4:33 PM > To: Php-General > Subject: RE: [PHP] PHP/Apache security question > > > of course that's possible... it's not default, but it's very possible > > i think it's an apache module called suEXEC > that will run the script with the script owner's name.group, > not apache.apache > > > -Original Message- > > From: [EMAIL PROTECTED] > > Subject: [PHP] PHP/Apache security question > > > > Is there anything anyone can do about this? of course it would be ideal if > > php would inherit uid/gid from the script file instead of the server > > ownership but I think there is no way to accomplish this, so this is why > > I am clueless. > > > > Oh, one more thingie: I have this CGI script here: > > > > #!/usr/bin/php > > . > > etc etc > > > > > > I try to access it and the "security warning!" page appears. The > > documentation sais that it's ok to use such CGI scripts, and warns the > > user about the security threat of using the php binary as a CGI. Obviously > > I am not using the php binary as a CGI, rather I am creating a CGI script > > that's interpreted using the php binary, so what seems to be the problem > > here? > > > > Thx a lot, > > georgeb > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP/Apache security question
Does anyone know if SuExec plays "friendly" with PHP? From my recollection, when using suexec, it only alters the current UID/GID for scripts executed by httpd. Does PHP get treated the same way as would say a perl cgi script? I've looked a little at how phpwebhosting.com does it, and they set each user to their own unique primary group, and are (i believe) using suexec in their apache config setting each VirtualHost with their respective user and group... But does that really 'secure' everyone's code from other equally privileged users? :-? -- Aaron Bennett [EMAIL PROTECTED] -Original Message- From: ..s.c.o.t.t.. [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 07, 2001 4:33 PM To: Php-General Subject: RE: [PHP] PHP/Apache security question of course that's possible... it's not default, but it's very possible i think it's an apache module called suEXEC that will run the script with the script owner's name.group, not apache.apache > -Original Message----- > From: [EMAIL PROTECTED] > Subject: [PHP] PHP/Apache security question > > Is there anything anyone can do about this? of course it would be ideal if > php would inherit uid/gid from the script file instead of the server > ownership but I think there is no way to accomplish this, so this is why > I am clueless. > > Oh, one more thingie: I have this CGI script here: > > #!/usr/bin/php > . > etc etc > > > I try to access it and the "security warning!" page appears. The > documentation sais that it's ok to use such CGI scripts, and warns the > user about the security threat of using the php binary as a CGI. Obviously > I am not using the php binary as a CGI, rather I am creating a CGI script > that's interpreted using the php binary, so what seems to be the problem > here? > > Thx a lot, > georgeb > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP/Apache security question
of course that's possible... it's not default, but it's very possible i think it's an apache module called suEXEC that will run the script with the script owner's name.group, not apache.apache > -Original Message- > From: [EMAIL PROTECTED] > Subject: [PHP] PHP/Apache security question > > Is there anything anyone can do about this? of course it would be ideal if > php would inherit uid/gid from the script file instead of the server > ownership but I think there is no way to accomplish this, so this is why > I am clueless. > > Oh, one more thingie: I have this CGI script here: > > #!/usr/bin/php > . > etc etc > > > I try to access it and the "security warning!" page appears. The > documentation sais that it's ok to use such CGI scripts, and warns the > user about the security threat of using the php binary as a CGI. Obviously > I am not using the php binary as a CGI, rather I am creating a CGI script > that's interpreted using the php binary, so what seems to be the problem > here? > > Thx a lot, > georgeb > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] PHP/Apache security question
Hello list, I have a security problem to solve with my apache setup and I am clueless at this moment... My web server holds multiple domains and uses name-based virtual servers to direct requests to different portions of the html tree for different domain names (we presume only one IP is available). There are just a few people storing content on the webserver to be served to the public and everyone has access to php scripts. The server runs as apache.apache and therefore all the files and dirs in the html tree are owned by group apache so that the server can see them yet people cannot see anything but their own files. It has recently crossed my mind that anyone can write a very simple php script to peek at everything that apache can see because any script is run with the uid/gid inhereted from the webserver. Now, the html tree does not contain any security-sensitive information, but I am sure that the clients would not be happy to know that any other of my clients can see their scripts and hidden information, like .htaccess-protected files or db files generated by php or cgi scripts. Is there anything anyone can do about this? of course it would be ideal if php would inherit uid/gid from the script file instead of the server ownership but I think there is no way to accomplish this, so this is why I am clueless. Oh, one more thingie: I have this CGI script here: #!/usr/bin/php . etc etc I try to access it and the "security warning!" page appears. The documentation sais that it's ok to use such CGI scripts, and warns the user about the security threat of using the php binary as a CGI. Obviously I am not using the php binary as a CGI, rather I am creating a CGI script that's interpreted using the php binary, so what seems to be the problem here? Thx a lot, georgeb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]