PHP security : Secure Functions, restrict dangerous PHP function access without disabling (alpha)

An Overview of the PHP secure functions(Alpha)

           Most of the dangerous php functions are made safe from unwanted access without disabling these functions.

Why Secure functions?

          PHP is one of the most widely used server-script language. PHP provides so many functions which are dangerous if we dont give much care. Some of them are exec,shell_exec,curl_exec etc. By default, most of these dangerous functions are disabled by setting it in PHP.ini file (see disabled_functions). But disabling some of these functions wont meet our need, for eg: For easy server management most of the administrators install pHpMyadmin and it requires most of those disabled functions to work perfectly & thus we cant disable those fucntions which are used by it. Most of the hackers take advantage of these enabled functions.

What Hackers do with dangerous enabled functions ?

         If your server support upload service, then hacker's first attempt will be uploading malware files to server and accessing the server remotely through that malware file. R57_shell/C99_shell are example for these malware files.

(note: I am not encouraging hacking, but for the purpose of security i want to explain a bit about these files).

r57_Shell/C99_shell are most widely php script malware file for hacking php server, hackers try to upload these files into your server. Once they are done and if you have dangerous functions enabled in your php server, then it's a piece of cake for him to hack your server. They just execute the uploaded malware through his browser and he can get all the details of your server, even he can alter the server if he gets access to these dangerous functions (even he can access mysql very easily, he can read other script,write, do anything he wants to do with the php server).

(googling r55Shell/C99Shell you can download the php file, and you can investigate the code written in it, can understand how it works).

      The functions that are used in these malware files are as follows (need to be taken care of):
setcookie,urldecode,getenv,header,file_get_contents,fopen,fwrite,fclose,opendir,
php_stat,readdir,mkdir,closedir,unlink,exec,system,passthru,shell_exec,proc_nice,
escapeshellcmd,escapeshellarg,popen,fread,pclose,base64_decode,mysql_query,
mysql_num_rows,mysql_fetch_row,gethostbyname,mysql_get_server_info,
mysql_fetch_assoc,mysql_free_result,mysql_error,ini_get,phpversion,ini_set,
urlencode,php_uname,disk_free_space,disk_total_space,mysql_connect,
mysql_get_proto_info,mysql_list_tables,mysql_list_dbs,ob_clean,mysql_field_name,
mysql_create_db,mysql_select_db,mysql_num_fields,mysql_drop_db,
mysql_affected_rows,in_array,ftp_connect,ftp_login,ob_flush,fseek,mail,
posix_getpwuid,posix_getgrgid,phpinfo,base64_encode,ob_get_contents,
base_convert,move_uploaded_file,readlink,fsockopen,posix_kill,highlight_file,
getimagesize,touch,chdir.

What secure functions do ?

        One way of securing those danegrous functions is disabling it in PHP.ini file. But what if you want some of those functions not disabled and avoid un-authorized access, then one way of doing it is by restricting those enabled functions. But how to do that ?. Here comes the solutions, Secure Functions.

        Using secure functions you can restrict the execution of a php function to a particular file/ a particular folder without disabling it. You can specify which particular file can execute a particular function (ie; that particular function is written in that file) or specify a folder who can execute the functions which is written in a file inside that folder.

For eg: -
       If you want to enable security to a function 'phpinfo' (phpinfo is a function which give all details of the your php-settings,enabled functions,modules etc.) and it is written it in file named /var/www/index.php , you specify that only /var/www/index.php can execute the phpinfo function, or folder /var/www/.

How secure functions work ? 

      To make functions secure what you have to do is edit the PHP.ini file and add the following lines(a template) to it at the bottom(if not written):

(You can download patched php alpha source code, compile and install it in your server from here).
 
[command security]
;; For details, read README.SECURE_FUNCTIONS
;; enable_security, default off
;; security_file_path, default "/usr/local/lib/"
;; enabled_security_functions, below added functions are used in C99Shell/R57shell php malware file, which need extreme security.

; turns security on or off
enable_security = On

; tell which functions needs security, (security available cmds are defined in 'secure_functions' file)
enabled_security_functions =
setcookie,urldecode,getenv,header,file_get_contents,fopen,fwrite,fclose,opendir,php_stat,
readdir,mkdir,closedir,unlink,exec,system,passthru,shell_exec,proc_nice,escapeshellcmd,
escapeshellarg,popen,fread,pclose,base64_decode,mysql_query,mysql_num_rows,mysql_fetch_row,
gethostbyname,mysql_get_server_info,mysql_fetch_assoc,mysql_free_result,mysql_error,
ini_get,phpversion,ini_set,urlencode,php_uname,disk_free_space,disk_total_space,mysql_connect,
mysql_get_proto_info,mysql_list_tables,mysql_list_dbs,ob_clean,mysql_field_name,mysql_create_db,
mysql_select_db,mysql_num_fields,mysql_drop_db,mysql_affected_rows,in_array,ftp_connect,
ftp_login,ob_flush,fseek,mail,posix_getpwuid,posix_getgrgid,phpinfo,base64_encode,
ob_get_contents,base_convert,move_uploaded_file,readlink,fsockopen,posix_kill,highlight_file,
getimagesize,touch,chdir

; Folder path for security check (change as you wish)
security_file_path = "/usr/local/lib/"

    Working (based on above template):

  •  For eg: Before executing the 'setcookie' functions in any file(for eg: test.php), php looks for a file named "setcookie" under security_file_path (here /usr/local/lib/).

   ie; php checks for "/usr/local/lib/setcookie" file and look for the match "test.php" within /usr/local/lib/setcookie file. If php founds a match then executes it, else wont and return php warning.

  •  if php doesnt find "/usr/local/lib/setcookie" in your server, it looks for the match in a default file (a global file for every fucntions) under "/usr/local/lib/", ie, "/usr/local/lib/default".

      + Suppose you want to restrict execution of 'phpinfo' to a file named "test.php", create "phpinfo" file under "/usr/local/lib/", and add the entry "test.php"
         (recommended: add the entry with full path,eg: if exact path to "test.php" is /var/www/, add "/var/www/test.php")

  •  A global file for every secure function is "security_file_path/default" (in this eg /usr/local/lib/default).
  
  ***** Essential ******
 
    There should be always global default file under security_file_path ( $security_file_path/default ). If not found, php will return error and stops execution entire php file.

For more details

  •  See SECURE_FUNCTIONS file to know the php functions that support security feature.
  •  template for security entry for php.ini is available in php.ini-development / php.ini-production.
  •  You can view source code, its written in /ext/standard/php_security.c 

Download

   You can download patched php beta source code, compile and install it in your server from here

Comments

Post a Comment