logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Other Software View previous topic :: View next topic
Reply to topic   Topic: PHP Locking down directories on Windows
Author
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Tue 14 Apr '15 3:02    Post subject: PHP Locking down directories on Windows Reply with quote

So this is a unique question what falls into the ball park of php execution of files.

In my PHP.ini file it contains the following.
Code:
[PATH=s:/webroot/domain.nl]
open_basedir = s:/webroot/domain.nl
doc_root = s:/webroot/domain.nl
error_reporting = E_ALL & ~E_NOTICE
error_log = s:/logging/php/domain.nl.errors.log
upload_tmp_dir = s:/webroot/domain.nl/uploads
session.save_path = s:/webroot/domain.nl/sessions


So with open_basedir and doc_root i have told php not to execute scripts outside of those directories and not to get files outside of those directories.

But i can still execute ffmpeg.exe even though i have not listed the file path for ffmpeg in the php.ini is that normal how can i tell php not to do this because to me that seems as a insecurity.

Before anyone talks about disabling the exec function i need to be able to execute ffmpeg.exe for video conversions but i want php to only execute ffmpeg not files people could upload for example.

Is there a way i can whitelist specific directories for execution of files on the server.
Example :
Code:
C:/server/ffmpeg/ffmpeg.exe


And to only allow execution of the ffmpeg.exe ?

From my understanding right now there would be nothing stopping a user from uploading a file to their site and then uploading a ".exe" file and executing it on the server with a php script. (Hacking)

I think what i am after is "include_path" what currently is default but i am not sure either way i will wait for a response.
Back to top
ng4win



Joined: 25 May 2014
Posts: 78

PostPosted: Tue 14 Apr '15 13:03    Post subject: Reply with quote

Not directly, you can add a group with exec rights only to one folder, or even to one file, thats how we do it here. See user/group management and associate them with NTFS rights.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Tue 14 Apr '15 15:07    Post subject: Reply with quote

Yeah i figured that something like that was going to be the outcome i take it on linux they do the same.
Back to top
ng4win



Joined: 25 May 2014
Posts: 78

PostPosted: Tue 14 Apr '15 16:48    Post subject: Reply with quote

More or less yes, the OS choice makes no difference in how you lock down stuff, just have a hackers hat on when doing hackable things.

It reminds me of a very old hackers mind set, in a classroom security student were asked to switch off the lights but they were not allowed to use the light switch.... needless to say the right answer was to use the light switch Mr. Green
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Tue 14 Apr '15 16:48    Post subject: Reply with quote

You can limit that if you run apache as a different user than the default service. See http://www.howtogeek.com/howto/8739/restrict-users-to-run-only-specified-programs-in-windows-7/

For sure you have to allow php-cgi.exe and httpd.exe, too. Maybe some others.
Back to top
ng4win



Joined: 25 May 2014
Posts: 78

PostPosted: Tue 14 Apr '15 16:57    Post subject: Reply with quote

Where doing that already for some time with our Install_nginx_php_services.zip which could be used for other purposes.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Tue 14 Apr '15 17:52    Post subject: Reply with quote

Makes sense but atleast the security is there does that go for scripts too such as .vbs, .cmd, .bat etc ? Does it mean that those can not be executed unless whitelisted.
Back to top
ng4win



Joined: 25 May 2014
Posts: 78

PostPosted: Tue 14 Apr '15 18:57    Post subject: Reply with quote

C0nw0nk wrote:
Makes sense but atleast the security is there does that go for scripts too such as .vbs, .cmd, .bat etc ? Does it mean that those can not be executed unless whitelisted.

Depends how you deny/grant access and to which service user, scripts are run by interpreters like cmd.exe cscript.exe etc...

It takes a bit of work, create a group which has no exec access anywhere, then assign exec rights where needed. This is also valid for file creation in temp folders and anywhere else.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Wed 15 Apr '15 1:47    Post subject: Reply with quote

Thanks ng4win i do not do public shared hosting but i do have allot of my own sites on multiple machines and to prevent them being compromised in the event one does encounter a security flaw id rather have them all secured and lock them down with this method.

Are there any other security methods i should look into or take onboard ?

snce my sites only require access to imagick's convert.exe and ffmpeg's ffmpeg.exe process they do not need to be executing anything else.
Back to top
ng4win



Joined: 25 May 2014
Posts: 78

PostPosted: Wed 15 Apr '15 11:25    Post subject: Reply with quote

C0nw0nk wrote:
Are there any other security methods i should look into or take onboard ?

Only hardening following CIS for your OS.

Despite NSA's bad rep. they do have very good CIS hardening guides.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Wed 15 Apr '15 14:09    Post subject: Reply with quote

Oh yes i have seen these before.

https://wikis.utexas.edu/display/ISO/Windows+2008R2+Server+Hardening+Checklist
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Wed 15 Apr '15 15:30    Post subject: Reply with quote

C0nw0nk wrote:
Makes sense but atleast the security is there does that go for scripts too such as .vbs, .cmd, .bat etc ? Does it mean that those can not be executed unless whitelisted.


With that link that I posted even .vbs and other stuff can't be executed from the server. Yes it is a white listing.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Wed 15 Apr '15 15:47    Post subject: Reply with quote

Yes thanks James Smile this lets not just myself, but others know how to properly secure their applications and combined with the scripts NG4WIN made to lock users down.

http://nginx-win.ecsds.eu/download/Install_nginx_php_services.zip

Those of us on windows are much more secure Smile
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Thu 16 Apr '15 17:08    Post subject: Reply with quote

I prefer to use apache over nginx Wink
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Thu 16 Apr '15 20:47    Post subject: Reply with quote

I did use Apache and it was good but the issue with apache for me in a high traffic multi media enviorment was pseudo streaming no maintained modules for it on windows etc you would need seperate modules for FLV then MP4.

And apache used allot of CPU/Ram since i switched to nginx all that is built into it, My cpu is always 1% or 0% and ram usage onit never goes higher than 15,000K and if that was not good enough it also fixes the C10K port connection limit what i am pretty sure apache has not done yet and apache users still have a concurrent connection limit.
Back to top


Reply to topic   Topic: PHP Locking down directories on Windows View previous topic :: View next topic
Post new topic   Forum Index -> Other Software