security question.
Ed W
lists at wildgooses.com
Sun Apr 13 02:59:32 MSD 2008
Cliff Wells wrote:
>
> True and this is a real concern that I shouldn't have dismissed. On the
> plus side, it's pretty difficult to get shell via a web application
>
If this were true then I am over worried, but it seems to me that a php
injection attack makes it trivial to get a shell as the PHP user. Any
PHP injection attack can run any PHP script, hence the phpshell util can
be uploaded, or a common attack seems to be to use php cURL to download
an exe to the temp folder and execute it.
Both of the above attacks are mitigated by using the security controls
of grsec or similar, and whilst a determined attacker will fine tune the
attack the key thing is that standard script kiddie attacks will be
mitigated (think wordpress exploit + 10 mins on google searching for
common wordpress keywords + automated attack script - if you kill the
key attack methods using grsec then you are right down at the bottom of
the "failed" list which can only be attacked by a more creative attacker
and likely your script kiddie is happy with his 1000+ easily cracked
systems and won't bother with you)
This is the kind of thing which worries me more though. Shell on a host
which is behaving normally and the attack is not obvious until you find
a machine pumping millions of email messages...
As an aside I adjusted the examples on the wiki, but heads up all using
nginx. The default examples on the wiki leave you VULNERABLE to serious
php injection attacks. Most php apps are setup for apache and have
.htaccess rules as part of the deployment. Most users on nginx seem to
struggle just to setup fastcgi and I will give you even money they don't
translate all the .htaccess script to nginx rules... Therefore you only
need to look for a typical php app which allows uploads into a web
accessible dir, upload a file xyz.php, then point your browser at the
uploaded file and you have just run run the script of your choice on the
host system. LOTS of php apps are vulnerable and I give you good odds
that most nginx systems are vulnerable because of the lack of debugged
standard configs.
I don't want to list any widely deployed apps here to avoid giving too
many people a leg up, but it should be something that everyone here
RUSHES TO CHECK RIGHT NOW!!
Hence my previous point about using grsec to sandbox scripts, limit
network access, block temp dirs, etc will kill off most standard upload
script attacks. Better yet to fix the problem, but that's harder...
Ed W
More information about the nginx
mailing list