security question.

Ed W lists at
Sun Apr 13 02:59:32 MSD 2008

Cliff Wells wrote:
> True and this is a real concern that I shouldn't have dismissed.  On the
> plus side, it's pretty difficult to get shell via a web application

If this were true then I am over worried, but it seems to me that a php 
injection attack makes it trivial to get a shell as the PHP user.  Any 
PHP injection attack can run any PHP script, hence the phpshell util can 
be uploaded, or a common attack seems to be to use php cURL to download 
an exe to the temp folder and execute it.

Both of the above attacks are mitigated by using the security controls 
of grsec or similar, and whilst a determined attacker will fine tune the 
attack the key thing is that standard script kiddie attacks will be 
mitigated (think wordpress exploit + 10 mins on google searching for 
common wordpress keywords + automated attack script - if you kill the 
key attack methods using grsec then you are right down at the bottom of 
the "failed" list which can only be attacked by a more creative attacker 
and likely your script kiddie is happy with his 1000+ easily cracked 
systems and won't bother with you)

This is the kind of thing which worries me more though.  Shell on a host 
which is behaving normally and the attack is not obvious until you find 
a machine pumping millions of email messages...

As an aside I adjusted the examples on the wiki, but heads up all using 
nginx.  The default examples on the wiki leave you VULNERABLE to serious 
php injection attacks.  Most php apps are setup for apache and have 
.htaccess rules as part of the deployment.  Most users on nginx seem to 
struggle just to setup fastcgi and I will give you even money they don't 
translate all the .htaccess script to nginx rules...  Therefore you only 
need to look for a typical php app which allows uploads into a web 
accessible dir, upload a file xyz.php, then point your browser at the 
uploaded file and you have just run run the script of your choice on the 
host system.  LOTS of php apps are vulnerable and I give you good odds 
that most nginx systems are vulnerable because of the lack of debugged 
standard configs. 

I don't want to list any widely deployed apps here to avoid giving too 
many people a leg up, but it should be something that everyone here 

Hence my previous point about using grsec to sandbox scripts, limit 
network access, block temp dirs, etc will kill off most standard upload 
script attacks.  Better yet to fix the problem, but that's harder...

Ed W

More information about the nginx mailing list