All geek questions in one place

How safe (hardened) is this script?

The script below, test.php, is intended to be placed in a specific directory of all my wordpress sites. Its purpose is to capture the file at $ source below and extract it into the directory in which it is located. That is all he intends to do.

For example, I will have a control panel interface on my central server, which lists all my sites on which this script is present. Then I execute the cURL procedure, which iterates through each site and calls this script, effectively sending the update file to all of them at once.

The call goes like this ...

...processing site 1 update... http://targetsite1.com/somedeepdirectory/test.php?query=updates.zip ...processing site 2 update... http://targetsite2.com/somedeepdirectory/test.php?query=updates.zip ...etc until all my sites have been updated.

My question is: (1) how safe (hardened) is this script, as it is. and (2) what checks should I put in order to do more ...

I think that, at a minimum, I would limit the number of characters for myquery and also check the payload in myquery for malicious and unexpected file types?

 <?php

//TEST.PHP

 $source = 'http://mycentralserver.com/protected/'.$_GET['myquery']; $target = '.'; $out_file = fopen(basename($source), 'w'); $in_file = fopen($source, 'r'); while ($chunk = fgets($in_file)) { fputs($out_file, $chunk); } fclose($in_file); fclose($out_file); $zip = new ZipArchive(); $result = $zip->open(basename($source)); if ($result) { $zip->extractTo($target); $zip->close(); } ?>
+4
source share
7 answers

The security of this script in its current state is pretty good. I have a few issues. In the "NO CONDITION" section, you should accidentally download the .php file and save it in your web root. This is the worst thing that could happen for this script, as it will be a remote code execution vulnerability. Files must be downloaded to a specific directory, if you are interested in another access to this file, you must do "deny from all" in .htaccess in this folder. If there are errors in this script, you should delete the downloaded file. In fact, I recommend deleting downloaded files as soon as possible.

I am worried that the script should be misinterpreted. You have to check to make sure that you got what you are looking for. Even if the file is not a .php file, it may contain php code <?php ?> , Which can then be include () 'ed, which will turn the local file (LFI) vulnerability into full-blown remote code execution.

In a secure php configuration, allow_url_fopen should be turned off, and PhpInfoSec agrees with me. This means that fopen () cannot be used for HTTP. allow_url_fopen is enabled by default, and I disabled it on all production systems. The reason is that I personally wrote an exploit with remote code execution in the Coppermine Photo Gallery, which took advantage of this unsafe default. CURL should ALWAYS be used for HTTP in PHP, it is more secure and more stable.

+3
source

I could pass

 http://targetsite1.com/test.php?query=/tmp/somefile.zip

and crush your site with any file I could get somewhere on your web host.

- in fact, I'm not sure about that. It should be available at mycentralserver.com.

+2
source

The sites in question stupidly download the .ZIP file from your central server on command. They do not confirm that the .ZIP file came from you, or that your central server was not compromised.

I would use GPG to sign your zip addresses. They do not need to encrypt (but it never hurts), but they must be signed.

+2
source

See what your script does. You get access to some query mechanism, creating a zip file and transferring data back and forth through this file and the query mechanism. Fortunately, this code is executed on the server, not on the client machine, so it is at least as unsafe as accessing your web server. After reviewing your web server, it will be as secure as your network architecture for accessing a service working with this request mechanism, or as secure as accessing this zip file created by a script.

If these data storages do not store personal information, no one will want to contact your code if you do not mess with your code, this is a simple way to defragment a site with a certain degree of traffic or reputation. So, what mechanisms exist to prevent people from freely entering malicious code into your request engine or your zip archive?

+1
source

Consider disabling fopen_wrappers and using curl or http libraries to access the specified HTTP content.

This will protect your system from other vulnerabilities when an attacker could gain access to web content inside a script where you intended to fix access to the local file system. With the fopen_wrappers file disabled, the file is (local) and http means http.

+1
source

Also think about who can run this script. I would protect it in some way so that a random guy / robot on the Internet cannot easily name him. Consider restricting it to the source IP address, or perhaps do a password check if the script is designed for an interactive call.

+1
source

One of the problems is that you do not check the directory traversal, so you can copy the entire disk (in principle) to the "." Folder

If ./ is accessible from the Internet, you have a big problem.

My advice is to recursively delete all instances .. to avoid directory traversal

To be more precise, if I passed .. /../../../../../etc/passwd as input, this file will be copied to the current working directory. Since your script has write access there, obviously the passwd file will be open.

Also not coding a. or a / can be encoded in dozens of different ways, so do not perform a hard search and replace it with ../

0
source

Source: https://habr.com/ru/post/1302273/

More articles:


All Articles