protecting against cracking into filesystem

I am trying to secure sites I am developing, and I am especially
concerned about intruders gaining command-line access to my sites by
penetrating my PHP code. I have no idea how someone would do that.

My sites are in a shared hosting environment, and I know that is an
intrinsically insecure situation. I guess I will just have to live
with it. However, what methods would someone visiting my site use to
get to the command line, without having an account on the same server?
How can I guard against such intrusions?

On Jan 12, 10:15 am, firewood...@yahoo.com wrote:
> I am trying to secure sites I am developing, and I am especially
> concerned about intruders gaining command-line access to my sites by
> penetrating my PHP code. I have no idea how someone would do that.
>
> My sites are in a shared hosting environment, and I know that is an
> intrinsically insecure situation. I guess I will just have to live
> with it. However, what methods would someone visiting my site use to
> get to the command line, without having an account on the same server?
> How can I guard against such intrusions?

This all depends on your site (what it does) and how you've programmed
it. One can simply use method's like code injection to gain access but
again this depends on your site and it's practices.

On Jan 12, 10:15 am, firewood...@yahoo.com wrote:
>... However, what methods would someone visiting my site use to
> get to the command line, without having an account on the same server?
> How can I guard against such intrusions?

There are many on-line guides to PHP security, I would recommend every
PHP guy to check them out, and keep up to date on PHP news regularly.
Mainly what you wnt to guard against is someone doing making your site
do things it wasn't intended to do. None of them are overly hard to
implement mainly a case of doing good coding practices.

One of the more popular are the "Top 7 PHP Security Blunders"
http://www.sitepoint.com/article/php-security-blunders

and the Zend PHP Security Tips are good too:
http://devzone.zend.com/tag/Security_Tips

The main points of vulnerability are:

- GET, POST, COOKIE data, (anything that could potentially come from
the user) make sure it is clean, not only from bad code that could
compromise PHP/HTML or bad URLS that will redirect output, but also
from code that might comprimise your SQL databases (if you use any).

- The next one is how pages interact with each other - sure everything
works fine when Page A calls or includes Page B but what happens if
outside Badguy Page X tries to call Page B?

- Authentication - make sure you know who you are dealing with and
don't let them have the opportunity to do more then what you want them
to.

- Other websites on shared servers pose other risks in that they may
have an advantage of being on the same webhost and able to mess with
things on the inside (Session data).

On Sat, 12 Jan 2008 22:02:24 +0100, <larry@portcommodore.com> wrote:

> On Jan 12, 10:15 am, firewood...@yahoo.com wrote:
>> ... However, what methods would someone visiting my site use to
>> get to the command line, without having an account on the same server?
>> How can I guard against such intrusions?
>
> There are many on-line guides to PHP security, I would recommend every
> PHP guy to check them out, and keep up to date on PHP news regularly.
> Mainly what you wnt to guard against is someone doing making your site
> do things it wasn't intended to do. None of them are overly hard to
> implement mainly a case of doing good coding practices.
>
> One of the more popular are the "Top 7 PHP Security Blunders"
> http://www.sitepoint.com/article/php-security-blunders
>
> and the Zend PHP Security Tips are good too:
> http://devzone.zend.com/tag/Security_Tips
>
> The main points of vulnerability are:
>
> - GET, POST, COOKIE data, (anything that could potentially come from
> the user) make sure it is clean, not only from bad code that could
> compromise PHP/HTML or bad URLS that will redirect output, but also
> from code that might comprimise your SQL databases (if you use any).

Add a lot of the items of $_SERVER data to the list, and don't forget the
session id is derived from one of the request variables...
--
Rik Wasmus

On 12 Jan, 18:15, firewood...@yahoo.com wrote:
> I am trying to secure sites I am developing, and I am especially
> concerned about intruders gaining command-line access to my sites by
> penetrating my PHP code. I have no idea how someone would do that.
>
> My sites are in a shared hosting environment, and I know that is an
> intrinsically insecure situation. I guess I will just have to live
> with it. However, what methods would someone visiting my site use to
> get to the command line, without having an account on the same server?
> How can I guard against such intrusions?

These might be helpful as an introduction to PHP security:

http://www.owasp.org/index.php/PHP_Top_5
http://shiflett.org/
http://www.hardened-php.net/

But as you observed, with a hosted server, indeed a *shared* hosted
server, you don't have any real security.

C.

On Jan 12, 6:15 pm, firewood...@yahoo.com wrote:
> I am trying to secure sites I am developing, and I am especially
> concerned about intruders gaining command-line access to my sites by
> penetrating my PHP code. I have no idea how someone would do that.
>
> My sites are in a shared hosting environment, and I know that is an
> intrinsically insecure situation. I guess I will just have to live
> with it. However, what methods would someone visiting my site use to
> get to the command line, without having an account on the same server?
> How can I guard against such intrusions?

The short of it, follow the Fox Mulder approach when it comes to
handling user input and trust no one

The long of it, there are plenty of ways a PHP script could be
breached but what may happen depends on the script itself and what
it's doing. Here are a few tips that can be applied in general:

Never trust user input. Always check that form variables are in the
correct format and are valid for what you'er attempting to do with
them. One tip to do this quickly for integer values is to simply
apply intval() to them. Any invalid input will evaluate to 0

Never pass an unsanitized string to a database query. The vast
majority of cracks in PHP apps occur this way. A malicious user could
potentially use a script that doesn't check its input before passing
it to a database to do almost anything - Insert malicious data, expose
sensitive information, delete tables, anything. PDO prepared
statements are one way to limit the possibility of damage, but don't
depend on them as your only line of defence. Validate your data
first.

Give permission to your script to do what it has to to work and
nothing else. If your script writes to the filesystem allow it to
write only to locations you condone by chmodding directories.
Directories with a chmod value of 0777 are wide open. Create database
users for your application to use that have access only to what they
need.

Keep as much of your application out of web-facing locations as
possible. Of course the scripts that generate web page output must be
visible from teh web but there's no reason includes have to be.

don't use filesystem commands (rmdir, unlink, fopen etc) in your
scripts unless you absolutely have to. Unvalidated input passed to
commands that access or modify the filesystem can have dire
consequences. You risk exposing sensitive files like /etc/passwd or
damage to the filesystem that will prevent the machine from
rebooting.

Under no circumstances should you use eval (), exec () or any
derivative thereof! ABSOLUTELY DON'T USE THEM WITH USER INPUT! Eval
and Exec are probably the most dangerous commands in the PHP command
set. I've managed in years of coding to never use either, if you think
you do need them then think very carefully about your design as it
might be a code smell that there's something fundamentally wrong with
what you're trying to do.

C. (http://symcbean.blogspot.com/) wrote:
> On 12 Jan, 18:15, firewood...@yahoo.com wrote:
>> I am trying to secure sites I am developing, and I am especially
>> concerned about intruders gaining command-line access to my sites by
>> penetrating my PHP code. I have no idea how someone would do that.
>>
>> My sites are in a shared hosting environment, and I know that is an
>> intrinsically insecure situation. I guess I will just have to live
>> with it. However, what methods would someone visiting my site use to
>> get to the command line, without having an account on the same server?
>> How can I guard against such intrusions?
>
> These might be helpful as an introduction to PHP security:
>
> http://www.owasp.org/index.php/PHP_Top_5
> http://shiflett.org/
> http://www.hardened-php.net/
>
> But as you observed, with a hosted server, indeed a *shared* hosted
> server, you don't have any real security.
>

At a slight tangent..I looked into hosting, and for the few sites I have
developed - low bandwidth,small scale businesses - frankly it was far
more cost effective to host them on a properly set up and maintained
machine at the end of my broadband line, using a fixed IP address.

If any or all of them get to be supremely profitable.high bandwidth,
then I will stick my own machine in a hosting center.

The 'in between' of actually hosting on a shared machine, seems to me to
get less and less attractive.

Its better for backups I guess..


> C.

The Natural Philosopher wrote:
> C. (http://symcbean.blogspot.com/) wrote:
>> On 12 Jan, 18:15, firewood...@yahoo.com wrote:
>>> I am trying to secure sites I am developing, and I am especially
>>> concerned about intruders gaining command-line access to my sites by
>>> penetrating my PHP code. I have no idea how someone would do that.
>>>
>>> My sites are in a shared hosting environment, and I know that is an
>>> intrinsically insecure situation. I guess I will just have to live
>>> with it. However, what methods would someone visiting my site use to
>>> get to the command line, without having an account on the same server?
>>> How can I guard against such intrusions?
>>
>> These might be helpful as an introduction to PHP security:
>>
>> http://www.owasp.org/index.php/PHP_Top_5
>> http://shiflett.org/
>> http://www.hardened-php.net/
>>
>> But as you observed, with a hosted server, indeed a *shared* hosted
>> server, you don't have any real security.
>>
>
> At a slight tangent..I looked into hosting, and for the few sites I have
> developed - low bandwidth,small scale businesses - frankly it was far
> more cost effective to host them on a properly set up and maintained
> machine at the end of my broadband line, using a fixed IP address.
>
> If any or all of them get to be supremely profitable.high bandwidth,
> then I will stick my own machine in a hosting center.
>
> The 'in between' of actually hosting on a shared machine, seems to me to
> get less and less attractive.
>
> Its better for backups I guess..
>
>
>> C.
>

What happens when you have a power outage? Or when your broadband line
goes down? And what if you're on vacation for two weeks when the system
crashes and needs rebooting?

Hosting centers have backup power and communications, people on site
24/7 for emergency work, etc. Hosting hobby sites in your home may be
fine. But I'd never put a business site there.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

The Natural Philosopher wrote:
> C. (http://symcbean.blogspot.com/) wrote:
> At a slight tangent..I looked into hosting, and for the few sites I
> have developed - low bandwidth,small scale businesses - frankly it
> was far more cost effective to host them on a properly set up and
> maintained machine at the end of my broadband line, using a fixed IP
> address.
You must have a good upload speed them. Most BB in my country is ADSL.

Jerry Stuckle wrote:

> The Natural Philosopher wrote:
>> C. (http://symcbean.blogspot.com/) wrote:
>>> On 12 Jan, 18:15, firewood...@yahoo.com wrote:
>>>> I am trying to secure sites I am developing, and I am especially
>>>> concerned about intruders gaining command-line access to my sites by
>>>> penetrating my PHP code. I have no idea how someone would do that.
>>>>
>>>> My sites are in a shared hosting environment, and I know that is an
>>>> intrinsically insecure situation. I guess I will just have to live
>>>> with it. However, what methods would someone visiting my site use to
>>>> get to the command line, without having an account on the same server?
>>>> How can I guard against such intrusions?
>>>
>>> These might be helpful as an introduction to PHP security:
>>>
>>> http://www.owasp.org/index.php/PHP_Top_5
>>> http://shiflett.org/
>>> http://www.hardened-php.net/
>>>
>>> But as you observed, with a hosted server, indeed a *shared* hosted
>>> server, you don't have any real security.
>>>
>>
>> At a slight tangent..I looked into hosting, and for the few sites I have
>> developed - low bandwidth,small scale businesses - frankly it was far
>> more cost effective to host them on a properly set up and maintained
>> machine at the end of my broadband line, using a fixed IP address.
>>
>> If any or all of them get to be supremely profitable.high bandwidth,
>> then I will stick my own machine in a hosting center.
>>
>> The 'in between' of actually hosting on a shared machine, seems to me to
>> get less and less attractive.
>>
>> Its better for backups I guess..
>>
>>
>>> C.
>>
>
> What happens when you have a power outage?

Hoy... The UPS kicks in?
My UPS will last for 48+ hours, A triplite with 12 automotive batteries in
parallel.

> Or when your broadband line
> goes down?

It switches to a DSL backup line?

> And what if you're on vacation for two weeks when the system
> crashes and needs rebooting?

What crashes?

I use my own scratch built Linux servers and they have not crashed in 4+
years.

>
> Hosting centers have backup power and communications, people on site
> 24/7 for emergency work, etc.

Some ISPs in the USA ie: time warner have business class and provide this.

> Hosting hobby sites in your home may be
> fine. But I'd never put a business site there.
>

I would if it is cost effective.

--
Dancin in the ruins tonight
Tayo'y Mga Pinoy