Andrew schreef:
> Hi,
>
....
>
> As an example of the attack...
> $ whoami
> www-data
isn't the whole point of suexec/PHP/FastCGI that the local user
has no access to the www-data account ... suexec switches to the
users account from the webserver account not the other way around.
so the attack is moot unless there is a completely different security
hole that allows the user to run stuff as www-data.
or am I being thick? ... could well be, socialists are renowned
for their stupidity ... just look at the eminent socialist George W.
Bush.
so if I am being thick ... I would appreciate an explaination
as to how the webuser account manages to run stuff in the context of
the webserver account, if you have the inclination.
PS - that last bit about socialism is off topic
PPS - I don't think I'm a much of a socialist
PPPS - I'm sure do I suffer from stupidity now and again
PPPPS - but not as much as the guy whose world-view manages to
put Dubya into a socialist pidgeonhole.
> $ cat >/tmp/myscript.php
> <?php passthru('whoami >/tmp/compromised.txt');
> $ SCRIPT_FILENAME=/tmp/myscript.php
> PATH_INFO=/home/wwjargon/public_html/meter.php /usr/lib/apache2/suexec
> "~wwjargon" wwjargon php.fcgi
> X-Powered-By: PHP/5.2.6-2ubuntu4
> Content-type: text/html
>
> $ cat /tmp/compromised.txt
> wwjargon
>
> I could make this attack a bit harder by changing the environment
> variables in php.fcgi so it would only work for FastCGI and not for
> normal CGI, but a more motivated attacker could just write a fake
> FastCGI server to attack my script.
>
> Setting PHP_DOCUMENT_ROOT in the environment and doc_root in php.ini
> didn't seem to stop the attack (although setting doc_root stops
> meter.php working, but not the attack), because PHP still happily serves
> up a document from /tmp/myscript.php, and --enable-force-cgi-redirect
> doesn't really have the potential to be of any help either because a
> local attacker could just set the same environment variables as the
> webserver to fake a redirect. I can't use the #!/usr/bin/php-cgi option
> because this is a FastCGI and not a CGI setup.
>
> What can I do to prevent this sort of local attack against my
> suexec/PHP/FastCGI environment (short of getting a VPS or installing my
> own patched PHP at least)?
>
> Thanks and Best Wishes,
> Andrew
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
