PHP blamed for security problems

Tim Van Wassenhove <eu**@pi.be> wrote or quoted:

On 2004-03-18, Tim Tyler <ti*@tt1lock.or g> wrote:

> Tim Van Wassenhove <eu**@pi.be> wrote or quoted:
>> On 2004-03-16, Tim Tyler <ti*@tt1lock.or g> wrote: >> > Here's what this morning's security advisory read here:
>> > ``Recently, we've seen an increase in malicious activity on
>> > our servers, caused by hackers who have successfuly gained
>> > shell access via insecure PHP scripts.
>>
>> And who's to blame for that? The php script? Or the sysadmin that gives
>> to many rights to the user that is running apache?
>
> Giving even rather minimal rights will allow the manipulation of files
> on the server. The hacker is likely to be able to recover the system
> password file and run it through a password cracker. In many cases,
> this will be enough for them to make quite a mess - e.g. by using
> compromised accounts to relay spam.

Imho the one to blame for should be the sysadmin for not using shadow
passwords. [...]

That's a fair comment.

However (though I haven't asked them) I suspect shadow passwords are not
currently an option for them. They provide multiple "virutal servers" on
the same machine - and the administrator of each server doesn't get root
access - but they are the one who needs to manipulate users and passwords.

Tim Van Wassenhove <eu**@pi.be> wrote or quoted:

On 2004-03-18, Tim Tyler <ti*@tt1lock.or g> wrote:

Tim Van Wassenhove <eu**@pi.be> wrote or quoted:
> On 2004-03-16, Tim Tyler <ti*@tt1lock.or g> wrote: Here's what this morning's security advisory read here:
> > ``Recently, we've seen an increase in malicious activity on
> > our servers, caused by hackers who have successfuly gained
> > shell access via insecure PHP scripts.
>
> And who's to blame for that? The php script? Or the sysadmin that gives
> to many rights to the user that is running apache?

Giving even rather minimal rights will allow the manipulation of files
on the server. The hacker is likely to be able to recover the system
password file and run it through a password cracker. In many cases,
this will be enough for them to make quite a mess - e.g. by using
compromised accounts to relay spam.

Imho the one to blame for should be the sysadmin for not using shadow
passwords. [...]

That's a fair comment.

However (though I haven't asked them) I suspect shadow passwords are not
currently an option for them. They provide multiple "virutal servers" on
the same machine - and the administrator of each server doesn't get root
access - but they are the one who needs to manipulate users and passwords.

There may be scope for improvement here - but it may not be terribly
simple to do.

R. Rajesh Jeba Anbiah <ng**********@r ediffmail.com> wrote or quoted:

Blame the design and programmers---not the PHP.

In India, we can file a case against anyone who damage one's name
with a kind of hoax. I don't know, whether we should take some efforts
to sue such people who intentionally damage PHP instead of blaming the
design and programmers.

I can't say I approve of the "legal" approach to software security.

Fund the removal of the security holes - not detectives to catch
those who exploit them and lawyers to sue them.

MyOdd <sp********@myo ddweb.com> wrote or quoted:

Maybe php could prevent the usage of include(...) from a $_GET/$_POST but how can that really be enforced...

By not running code taken from remote machines, perhaps?

I have been wanting to write an app for some times that go thru php scripts and flags possible security risks. I don't know if i really have the time to.

Better to eliminate the risks at source - rather than scan every script
in the universe.

Tim Tyler <ti*@tt1lock.or g> wrote in message news:<Hu******* *@bath.ac.uk>.. .

R. Rajesh Jeba Anbiah <ng**********@r ediffmail.com> wrote or quoted:

Blame the design and programmers---not the PHP.

In India, we can file a case against anyone who damage one's name
with a kind of hoax. I don't know, whether we should take some efforts
to sue such people who intentionally damage PHP instead of blaming the
design and programmers.

I can't say I approve of the "legal" approach to software security.

Fund the removal of the security holes - not detectives to catch
those who exploit them and lawyers to sue them.

I'm not saying about legal approach to software security. I'm saying
about legal approach to the people who spead the hoax that PHP is not
secure instead of blaming the design and lame programmers.

I would think that in larger companies authentication is against LDAP or
MySQL or whatever database. And thus still no need for running php as
root etc..

Tim Van Wassenhove <eu**@pi.be> wrote or quoted:

However the abitily to run the script of your choice - and read and write
files with the permissions of the web server is probably pretty devastating.
The user that is running your webserver does NOT need write access to
files. All that it needs is x on the directory (and the directories to
get there), and r for the file.

And with mod_security, or whatever the setting is called in php, you can
lock much more things down ;)
At the very least you could publicly expose the source code of
practically everything to the attackers.

On 2004-03-19, Tim Tyler <ti*@tt1lock.or g> wrote:

However the abitily to run the script of your choice - and read and write
files with the permissions of the web server is probably pretty devastating.

The user that is running your webserver does NOT need write access to
files. All that it needs is x on the directory (and the directories to
get there), and r for the file.

At the very least you could publicly expose the source code of
practically everything to the attackers.

Security through obscurity doesn't work anyway. So what is the problem?

Tim Van Wassenhove <eu**@pi.be> wrote or quoted:

On 2004-03-19, Tim Tyler <ti*@tt1lock.or g> wrote:

> However the abitily to run the script of your choice - and read and write
> files with the permissions of the web server is probably pretty devastating.

The user that is running your webserver does NOT need write access to
files. All that it needs is x on the directory (and the directories to
get there), and r for the file.

The webserver usually has to do some writing - to log files, and so
forth. It ow would this be devestating?

> At the very least you could publicly expose the source code of
> practically everything to the attackers.

Security through obscurity is a technical phrase from cryptography.

In this case, PHP is at fault.
IMO, that is almost like saying "the OS is at fault" for allowing users
to delete files or install software. (granted, a require() that can
slurp in and evaluate code from across the net is kind of asking for
problems)

A casually-written script should *not* allow attackers to remotely run the
code of their choice on the server with the permissions of the webserver.
Which is why casually written programs are generally a bad idea. :-)

Although, with people offering to write custom code for $10/hr it is kind of
inevitable that shortcuts be made.

The market and cheap programming does put programmers in a position
where this type of thing is bound to happen. Web designers skipping over
to programming because they can't afford to hire a programmer,
programmers rushing through stuff because they'll average only $2.00/hr
if they DON'T rush it, etc.. I guess people who pay some guy $5.00/hr to
write their stuff kind of deserve what they get.

That allows them to (e.g.) publicly expose the source of every file the
webserver has read access to - which seems like a security disaster to me
- the remote attacker gives themselves the same access rights to files
that a local user has.

Don't blame the authors of the scripts - permitting this is PHP's fault -
and I don't care if you want to set the lawyers on me for saying so ;-)