suPHP has a lot of advantages in security but performances
suPHP breaks EA/xCache/MMCache/etc opcode cache support, then will reduces io for PHP sources in huge traffics which leads to load increase and page generate latency
the same trade off betnween security and performances! if you worry about mod_security RESPONSE_BODY disadvantages the same issue is here for suPHP, to me
CGI attacks could be patched by chroot either
As i said, i disable malicious functions not all
PHP shells are using a lot of functions, is_array for example
i never disable is_array function, i just disable common exploit functions such as exec/system/shell
Here is c99 exec function, take a look:
PHP Code:
function myshellexec($cmd)
{
global $disablefunc;
$result = "";
if (!empty($cmd))
{
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
{
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
}
}
return $result;
}
If you know PHP language, you will find that c99 myshellexec function requires at least one of exec, system or passthru
so patching c99 execute function can be done by disabling these 3 functions, same for all attack methods implemented in all common php shells
So, why Joomla or Wordpress or vBulletin or PHPBB should use execute functions? there is no need for execute functions in most of common PHP scripts
Indeed just in some special cases such as FFMPEG convert exec functions are needed, believe me
The exploit that i posted doesnt have any args and could be renamed easily, then how could mod_security detect and defect it?
In fact mod_security just sniffs request header, and a good hacker can easily change args and filename then bypass mod_security rules
If you would like i can modify c99 php shell and send it to you, then you check your security rules against modified c99 version, however securing php will break all phpshell functionality like a charm