PHP Safe Mode Bypass

[sullise]

Whatever...until someone can post a working patch, I'm not going to worry about this. So far all the replies here have been cryptic.

 

[ecsportal]

Just do as Wael suggested. Installing hardened-php works just fine.

 

[GXX]

Whatever...until someone can post a working patch, I'm not going to worry about this. So far all the replies here have been cryptic.

How has it been cryptic? Set safe_mode and open_basedir and it solves it. Obviously you got something else happening if that isn't working for you, but for everyone else.

Need someone to hold your hand?

 

[sullise]

Just do as Wael suggested. Installing hardened-php works just fine.

We installed hardening..did not work.

 

[Chrysalis]

something isnt right here I put this into a php file and when loading in the browser its able to read the file even if I disable ini_restore function and I also have open_basedir supposedbly blocking the location, php version is 4.4.4 so the php is acting like open_base dir and disable_functions arent enabled they both do show in phpinfo so I can confirm they set.

Update I am seeing denied entries inside the error log for the vhost but the /etc/passwd still displays with just the include even without ini_restore this is the same time as the log saying access denied.

this doesnt happen on php 5.1.5 only 4.4.4 and I only have 2 servers running 4.4.4 it happens on both, so I think there is a total open_basedir failure in 4.4.4.

 

[HH-Steve]

Whatever...until someone can post a working patch, I'm not going to worry about this. So far all the replies here have been cryptic.

I wouldn't say cryptic. If you set safe mode to On in php.ini it fixes it. If this breaks something i'm guessing that means safe mode wasn't enabled anyway so you don't need to update anything.

Steve

 

[sullise]

I wouldn't say cryptic. If you set safe mode to On in php.ini it fixes it. If this breaks something i'm guessing that means safe mode wasn't enabled anyway so you don't need to update anything.

Steve

Forget it.

SM broke because of the functions being disabled, I removed that and it worked.

My DA Skin broke because of the Safe Mode = On in php.ini

I've applied ALL the patches and updates and it STILL shows the passwd file, and you have others here that see same thing. I also know for a fact another host that can confirm the same thing.

So whatever you are doing to fix this, it's NOT universal.

 

[gcypher]

Leave php safe_mode = OFF
Configure open_basedir,
Then in the php.ini where disable_functions = "ini_restore"

This 3 steps will make your system block the bypass

Greetings

 

[GranTW]

Hi,

As a few people are having problems with this I will explain in clear steps.

Step 1. Run the following code to enable open_basedir in the users httpd.conf.

cd /usr/local/directadmin/data/templates
cp virtual_host*.conf custom
cd custom
perl -pi -e 's/#php_admin_value open_basedir/php_admin_value open_basedir/' virtual_host*.conf
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

Step 2. Open DirectAdmin click "PHP SafeMode Configuration" and turn it on if it isn't already.

Step 3. Open your php.ini ( normally /usr/local/lib/php.ini ) and look for

disable_functions

and replace with

disable_functions = ini_restore

Make sure that it's not commented out eg. ;disable_function

Step 4. Check that your passwd file is owned by root with permissions of 644

Step 5. Restart Apache

service httpd restart

Check that the exploit is stopped.

I can't see how this wouldn't work. You don't need to install a hardening patch or a dev version of PHP that can break other PHP scripts.

Regards,
Grant

PS. The exploit is that you can read any file by using the ini_restore function, if you comment the two ini_restore lines out and run the test PHP script and still read the passwd file then this exploit has no affect what so ever because your setup is insecure anyhow.

 

[sullise]

That's more like it..thanks..

but this would disable safe_mode for all users, correct? That's NOT an viable solution since it would break a lot of scripts. While I have Safe_Mode off by default in DA, many sites have it on for scripting purposes.

And btw...probably safer to always do:

perl -pi.bak -e 's/#php_admin_value open_basedir/php_admin_value open_basedir/' virtual_host*.conf

That way every conf file gets a backup before changes are made.

 

[GranTW]

eh? You mean the other way around, its on by default ( for yourself ) and you turn it off for some sites...

http://uk2.php.net/manual/en/features.safe-mode.php

 

[Chrysalis]

can someone possibly try and confirm if open_basedir is working on 4.4.4 or not, I submitted a bug report but they rejected it for a cosmetic reason.

 

[GranTW]

Yes it works.

 

[Chrysalis]

it was actually blocking the reading of the file?

 

[kke]

This can fixed by 3 ways
1. Patch php (best way)
2. disable_function = ini_restore (some script using this function may display warning)
3. safe_mode=on in main php.ini (what I do)

As we know DA have safe_mode php flag in all virtual host directive to control their safe_mode on/off then by setting safe_mode=on in php.ini will not effected them, this will effected only main domain (server domain and call by ip), but it's easy to fixed this.

Here is my step

First we set safe_mode on in php.ini
1. edit /usr/local/lib/php.ini >> safe_mode=on

Then we solved it's effect by add safe_mode flag in vhost of server root, and fixed alias that call from user domains
2. edit /etc/httpd/conf/httpd.conf
#alias /phpmyadmin /var/www/html/PhpMyAdmin
#alias /phpMyAdmin /var/www/html/phpMyAdmin
redirect /phpmyadmin http://ip.ip.ip.ip/pma
redirect /phpMyAdmin http://ip.ip.ip.ip/pma
#alias /webmail /var/www/html/webmail
redirect /webmail http://ip.ip.ip.ip/uebimiau
#alias /squirrelmail /var/www/html/squirrelmail
redirect /squirrelmail http://ip.ip.ip.ip/squirrel

<VirtualHost ip.ip.ip.ip:80>
ServerAdmin [email protected]
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /var/www/html
ServerName localhost
ScriptAlias /cgi-bin/ /var/www/cgi-bin/

CustomLog /var/log/httpd/homedir.log homedir

<Directory /var/www/html>
Options +Includes -Indexes
php_admin_flag engine ON
php_admin_flag safe_mode OFF
</Directory>

php_admin_value open_basedir /tmp:/var/www/:/usr/local/lib/php/:/etc/virtual/

</VirtualHost>

<VirtualHost ip.ip.ip.ip:443>
ServerName localhost
ServerAdmin [email protected]
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /var/www/html
ScriptAlias /cgi-bin/ /var/www/cgi-bin/

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

CustomLog /var/log/httpd/homedir.log homedir

<Directory /var/www/html>
Options +Includes -Indexes
php_admin_flag engine ON
php_admin_flag safe_mode OFF
</Directory>

php_admin_value open_basedir /tmp:/var/www/:/usr/local/lib/php/:/etc/virtual/

</VirtualHost>

3. Correct path to match redirect
cd /var/www/html
ln -s squirrelmail-version-????? squirrel
ln -s webmail uebimiau
ln -s phpMyAdmin-version-???? pma

4. restart httpd

 

[rocketcity]

Chrysalis

can someone possibly try and confirm if open_basedir is working on 4.4.4 or not, I submitted a bug report but they rejected it for a cosmetic reason.

I can vouch that this is working for us. We run php 4.4.4 with "open_basedir" and are using "disable_function = ini_restore". We ran the exploit and here are the results:

0/home/myuser/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/
Warning: main() [function.main]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/myuser/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/) in /home/myuser/domains/domain.com/public_html/mytest.php on line 7

Warning: main(/etc/passwd) [function.main]: failed to open stream: Operation not permitted in /home/myuser/domains/domain.com/public_html/mytest.php on line 7

Warning: main() [function.main]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/myuser/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/) in /home/myuser/domains/domain.com/public_html/mytest.php on line 7

Warning: main(/etc/passwd) [function.main]: failed to open stream: Operation not permitted in /home/myuser/domains/domain.com/public_html/mytest.php on line 7

Warning: main() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:/usr/local/lib/php/') in /home/myuser/domains/domain.com/public_html/mytest.php on line 7

Warning: ini_restore() has been disabled for security reasons in /home/myuser/domains/domain.com/public_html/mytest.php on line 9

Warning: ini_restore() has been disabled for security reasons in /home/myuser/domains/domain.com/public_html/mytest.php on line 11
0/home/myuser/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/
Warning: main() [function.main]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/myuser/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/) in /home/myuser/domains/domain.com/public_html/mytest.php on line 17

Warning: main(/etc/passwd) [function.main]: failed to open stream: Operation not permitted in /home/myuser/domains/domain.com/public_html/mytest.php on line 17

Warning: main() [function.main]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/myuser/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/) in /home/myuser/domains/domain.com/public_html/mytest.php on line 17

Warning: main(/etc/passwd) [function.main]: failed to open stream: Operation not permitted in /home/myuser/domains/domain.com/public_html/mytest.php on line 17

Warning: main() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:/usr/local/lib/php/') in /home/myuser/domains/domain.com/public_html/mytest.php on line 17

 

[Chrysalis]

you get the results in the browser window? thats bad you should disable error output and put to log only.

I fixed the basedir problem I believe it was linked to eaccelerator caching.

 

[sullise]

This can fixed by 3 ways
1. Patch php (best way)
2. disable_function = ini_restore (some script using this function may display warning)
3. safe_mode=on in main php.ini (what I do)

As we know DA have safe_mode php flag in all virtual host directive to control their safe_mode on/off then by setting safe_mode=on in php.ini will not effected them, this will effected only main domain (server domain and call by ip), but it's easy to fixed this.

Here is my step

First we set safe_mode on in php.ini
1. edit /usr/local/lib/php.ini >> safe_mode=on

Then we solved it's effect by add safe_mode flag in vhost of server root, and fixed alias that call from user domains
2. edit /etc/httpd/conf/httpd.conf
#alias /phpmyadmin /var/www/html/PhpMyAdmin
#alias /phpMyAdmin /var/www/html/phpMyAdmin
redirect /phpmyadmin http://ip.ip.ip.ip/pma
redirect /phpMyAdmin http://ip.ip.ip.ip/pma
#alias /webmail /var/www/html/webmail
redirect /webmail http://ip.ip.ip.ip/uebimiau
#alias /squirrelmail /var/www/html/squirrelmail
redirect /squirrelmail http://ip.ip.ip.ip/squirrel

<VirtualHost ip.ip.ip.ip:80>
ServerAdmin [email protected]
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /var/www/html
ServerName localhost
ScriptAlias /cgi-bin/ /var/www/cgi-bin/

CustomLog /var/log/httpd/homedir.log homedir

<Directory /var/www/html>
Options +Includes -Indexes
php_admin_flag engine ON
php_admin_flag safe_mode OFF
</Directory>

php_admin_value open_basedir /tmp:/var/www/:/usr/local/lib/php/:/etc/virtual/

</VirtualHost>

<VirtualHost ip.ip.ip.ip:443>
ServerName localhost
ServerAdmin [email protected]
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /var/www/html
ScriptAlias /cgi-bin/ /var/www/cgi-bin/

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

CustomLog /var/log/httpd/homedir.log homedir

<Directory /var/www/html>
Options +Includes -Indexes
php_admin_flag engine ON
php_admin_flag safe_mode OFF
</Directory>

php_admin_value open_basedir /tmp:/var/www/:/usr/local/lib/php/:/etc/virtual/

</VirtualHost>

3. Correct path to match redirect
cd /var/www/html
ln -s squirrelmail-version-????? squirrel
ln -s webmail uebimiau
ln -s phpMyAdmin-version-???? pma

4. restart httpd

Nope. Didn't work...

But GranTW's did. I created a script to enable open_base in all the httpd.confs and that seems to fix it, but got a few sites that broke.

 

[rocketcity]

Chrysalis,

I did what you recommended in disabling the output and only sending to log. However I still get this

0/home/myuser/:/tmp/:/var/www/:/usr/local/lib/php/:/etc/virtual/

when I try to run the script again. Is that normal or is there some thing else I need to change to stop that from showing?

 

[Chrysalis]

no thats not a warning its doing what the script says and reporting the open_basedir setting.

although mine just shows a blank page now and shows nothing.