|Admin security for a CMS|
Hi. Ive developed a CMS. One of its features, is that the admin user can add modules in a form. That means there's a big textarea for the user to add some PHP code, that will run on the frontend.
But... what can i do if an admin becomes "evil" and adds some kind of malicious code? for example: unlink() or a $sql = 'DROP database...' etc...
? Is there a way to stop critical commands like those?
I know that admins should be responsable of their own password, but you never know.
Any ideas? Thanks.
If I were to do something like this, just for absolute security, I wouldn't let these 'admins' (which if they can potentially become 'evil' shouldn't be admins in the first place) just add code, but maybe have them add it to a text file for reviewing by you, and then you can add it to the site. This method should be sufficient since there probably isn't going to be many additions to the system anyway, but if it still presents an issue, then you can use preg_replace [us3.php.net] to take out all of the functions that you do not want an admin to use. Since this function utilizes regular expressions, here's a tutorial [webmasterworld.com]. Good luck ;)
Thanks, ill stick to the preg ;)
... I would not do this : taking code from a public text area and run it.
It is a security risk. You won't find ALL unwanted functions and features -- there are too many of them, and there are too many ways to exploit.
If you scan for "DROP " to prevent a DROP DATABASE, then how about this:
$abc = 'D';
$x = "base";
$abc .= 'R' . "OP";
$y = 'data' . $x;
$sql = $abc . " " . $y;
It is a can of worms.
Good point Romeo. I wonder though, if mysql connections are closed before the 'admin content' is included into a file, they wouldn't have access to the database anyway unless they had their own account, in which case you can limit their privileges(preventing any malicious actions). Or even, have every db connection with an account that has these restrictions so that there is no way any db's or tables will be dropped. I don't know, just a thought ;)
|But... what can i do if an admin becomes "evil" and adds some kind of malicious code? for example: unlink() or a $sql = 'DROP database...' etc... |
you can do nothing about that. even preg_replace won't help you, this will just lead to the situation making your code more complex and even more critical. there is no such routine to filter out "bad" commands. your computer just nows commands so it will execute commands. your computer does not judge about wethere these commands are good or bad.
since php is a very complex language with a lot of features, there is no such filter on specific executions would could classify as bad. there is even no way of classification i guess.
for your applikation i would suggest to use some other language which just has got alle the features needed for plugins and nothing more in addition.
Well...depending on how much restriction you want to give the admins, you can disable certain functions in php.ini file, assuming you aren't going to need them anywhere else.
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
Thank you all for the tips and replies. I think the best way to go around this is to limit the modulo php codification to TOP LEVEL admin users only.