03-31-2009, 06:37 AM
|
|
Senior Member
|
|
Join Date: Jul 2008
Posts: 147
|
|
Quote:
Originally Posted by Tony
I doubt that safe_mode exploit will ever be fixed seeing as how PHP 6.0 will not have safe_mode. At least that's what was said back when 6.0 was in early development. openbase_dir although useful if someone does get around it in theory they should be unable to do any damage. PHP is running as their user they're going to need to find folders that have read and write for everyone to do any damage. So really not a ton they can do and considering suPHP which a lot of people use does not support openbase_dir and we're not reading about people suggesting mod_php is better.
|
suPHP has a lot of advantages in security but performances
suPHP breaks EA/xCache/MMCache/etc opcode cache support, then will reduces io for PHP sources in huge traffics which leads to load increase and page generate latency
the same trade off betnween security and performances! if you worry about mod_security RESPONSE_BODY disadvantages the same issue is here for suPHP, to me
Quote:
Originally Posted by Tony
Plus as I said if your server supports Perl then these c99, r57 ect. ect. shells are just a php entry point. If they can get a perl version up they do not have openbase_dir restrictions anyways and can run shell commands.
|
CGI attacks could be patched by chroot either 
Quote:
Originally Posted by yolte
You know that php shells are using lots of php functions which are using by otner normal php scripts (etc oscommerce, joomla)
If we disable this functions other customers scripts has been blocking.
If we disable this, it can break any php script?
|
As i said, i disable malicious functions not all
PHP shells are using a lot of functions, is_array for example
i never disable is_array function, i just disable common exploit functions such as exec/system/shell
Here is c99 exec function, take a look:
PHP Code:
function myshellexec($cmd)
{
global $disablefunc;
$result = "";
if (!empty($cmd))
{
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,"r")))
{
$result = "";
while(!feof($fp)) {$result .= fread($fp,1024);}
pclose($fp);
}
}
return $result;
}
If you know PHP language, you will find that c99 myshellexec function requires at least one of exec, system or passthru
so patching c99 execute function can be done by disabling these 3 functions, same for all attack methods implemented in all common php shells
So, why Joomla or Wordpress or vBulletin or PHPBB should use execute functions? there is no need for execute functions in most of common PHP scripts
Indeed just in some special cases such as FFMPEG convert exec functions are needed, believe me
Quote:
Originally Posted by yolte
And finally, gotroot paid and real time rules, blocking %99 of php exploits on milw0rm and packetstorm. Did you try it?
|
The exploit that i posted doesnt have any args and could be renamed easily, then how could mod_security detect and defect it?
In fact mod_security just sniffs request header, and a good hacker can easily change args and filename then bypass mod_security rules
If you would like i can modify c99 php shell and send it to you, then you check your security rules against modified c99 version, however securing php will break all phpshell functionality like a charm
Last edited by IrPr; 03-31-2009 at 01:16 PM..
|
Threaded Mode