'expoits' involving chmod command

Forum Moderators: coopster

Message Too Old, No Replies

'expoits' involving chmod command

php and security

kafkaesque

7:39 pm on Sep 15, 2005 (gmt 0)

I've been running a picrating site with lunarpages for a couple of years now and have this week had my account suspended due to an exploit resulting in the draining of server resources. My site involves members uploading their pics to be rated. I've been told I have to update this script to have my account reopened, the problem is I have not the faintest ideas about exploits and how someone could have exploited this script. I have to say lunarpages have not been very helpful advice wise. Could someone please give me some guidance? I'd really appreciate it!

jatar_k

7:43 pm on Sep 15, 2005 (gmt 0)

welcome to WebmasterWorld kafkaesque,

do you have any idea what script was exploited?
any more info about specifically what happened would help us to give advice.

kafkaesque

9:48 pm on Sep 15, 2005 (gmt 0)

I was told by lunarpages that the problem must be arising from a gallery or forum script or a third party script. As I said I have a simple script that allows a visitor to create an account(a username and password which i then set as cookies) and then a simple upload file script which allocates the file uploaded (a jpeg or gif) to be the members picture which is then rated. the only 3rd party script apart is autolinks, which has its own folders which are set at permissions 777.

what should I be looking at specifically? I dont understand how a user interaction script (my upload file) script can be particularly vulnerable to an exploit. Ive looked around the web for information on exploits and it all seems beyond me technically (I learnt just enough php from scratch to construct my site).

figment88

9:57 pm on Sep 15, 2005 (gmt 0)

obviously, your host hasn't provided full information so anything is just a guess.

My guess, though, is they don't like you leaving directories wide open (777). With wide-open directories people can upload anything from anywhere -- that is they can bypass your upload script.

To give you an example of why this is bad, in the early days of the Internet porn traders used to find open directories and use them as way stations. Someone would upload a bunch of porn to a open server for others to grab anonymously.

Maybe your host would be happy if you had your directories at 755, changed them to 777 before you upload, and change them back to 755 after the upload.

kafkaesque

11:01 pm on Sep 15, 2005 (gmt 0)

thanks figment, I'll investigate that possibility.
here are the 2 emails that lunarpages sent me 'detailing' the problem:

[edited by: jatar_k at 2:22 pm (utc) on Sep. 16, 2005]
[edit reason] removed email content [/edit]

figment88

11:33 pm on Sep 15, 2005 (gmt 0)

ok, it looks like the php not the directory permissions causing the problem.

You said you wrote the script from scratch, so there maybe problems from your coding.

For example, do you limit the size of user uploads? You might have someone trying to upload a 10 meg photo, think nothing is happening, keep hitting refresh, resulting in server overload.

Do you do processing on the uploaded photos? PHP image manipulation functions can be fairly intensive especially if you are doing them on large files. Again you might need to limit file size, you might need to queue photos for processing.

As popularity grows, demands from a photos site can quickly overload a quick homebrewed script. You might want to investigate getting a more stable script form sourceforge, hotscripts, etc. There are many GNU or free licensed scripts that upload photos, place them in a gallery, let users rate, etc.

BTW you're not supposed to post emails in these forums. However, if one of my hosts sent me an email that basically said we have too many customers to deal with the likes of you, they would soon have one less.

kafkaesque

11:56 pm on Sep 15, 2005 (gmt 0)

thanks again figment. My site isnt very popular and its traffic has been steady for the last year. I run several picrating sites and I'm just frightened that the others (which attract far more traffic) will get likewise suspended. I actually only get 2 or 3 photos uploaded each day and quite a small file size is set. I think It would be a good idea for me to invest in a professional script however.

I have encountered a problem before with system resources before and it was concerned with a badly written script I had which tried to ensure that newly uploaded pics were displayed more often than older ones. if I had forgot or was unable to moderate the pictures for a few days a loop would arise causing the system drainage. as i was on vacation for 10 days prior to my account and didnt moderate this site I assumed that the same problem arisen again, however what would the chmod have to do with this?

sorry for including an email in the last post, wont happen again :-)

kafkaesque

7:24 am on Sep 16, 2005 (gmt 0)

i use a 3rd party script to handle link exchanges - autolinks pro. I just found via google that a security flaw has been identified with it in the last couple of weeks - [securitytracker.com...]

seems that this is likely the cause of my problems. Presumably when these security flaws get identified and published on the net the hackers have a field day trying to exploit it before webmasters get around to fixing it.

the vendor has provided a patch to fix the flaw, hopefully lunarpages will open my account again. At least its taught me to take security issues more seriously and also that if you are relying on your sites as income then its risky to go on vacation even for a week unless you have someone to look after them in your absence.

thanks to figment for the advice, much appreciated

jatar_k

2:22 pm on Sep 16, 2005 (gmt 0)

>> Presumably when these security flaws get identified and published on the net the hackers have a field day trying to exploit it before webmasters get around to fixing it

the biggest problme being that most people don't stay up to date with their products. A published exploit should never work for long as it prompts vendors to release the appropriate patches.

>> At least its taught me to take security issues more seriously and also that if you are relying on your sites as income then its risky to go on vacation even for a week unless you have someone to look after them in your absence.

As far as not going on vacation, well, I hate to go that far but you're right security is very serious. Any time you use someone else's script it needs to be tightly maintained and watched.

another site I like is [securityfocus.com...] there are a bunch more as well.

good work figment and kafkaesque I did have to remove the email quote. No harm no foul. ;)

madmac

3:16 pm on Sep 16, 2005 (gmt 0)

>> My guess, though, is they don't like you leaving directories wide open (777). With wide-open directories people can upload anything from anywhere

What? First of all, you would have to allow anonymous access with upload privileges for anyone to be able to upload to your site at whim. And secondly 777 global access doesn't mean anyone on the globe can have full access to the files. It means any user on the machine can.

figment88

5:29 pm on Sep 16, 2005 (gmt 0)

It means any user on the machine can.

Yeah, I realized I was speaking too large after I made the post - was wondering if I was going to get away with it.

With some of these hosts, though, allowing thousands of ill-concieved sites on single machines it still ain't a great situation.