Welcome to WebmasterWorld Guest from 107.20.54.98

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Admin security for a CMS

     
4:39 pm on Jun 19, 2006 (gmt 0)

Preferred Member

5+ Year Member

joined:Mar 11, 2006
posts:379
votes: 0


Hi. Ive developed a CMS. One of its features, is that the admin user can add modules in a form. That means there's a big textarea for the user to add some PHP code, that will run on the frontend.

But... what can i do if an admin becomes "evil" and adds some kind of malicious code? for example: unlink() or a $sql = 'DROP database...' etc...

? Is there a way to stop critical commands like those?

I know that admins should be responsable of their own password, but you never know.

Any ideas? Thanks.

5:13 pm on June 19, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


If I were to do something like this, just for absolute security, I wouldn't let these 'admins' (which if they can potentially become 'evil' shouldn't be admins in the first place) just add code, but maybe have them add it to a text file for reviewing by you, and then you can add it to the site. This method should be sufficient since there probably isn't going to be many additions to the system anyway, but if it still presents an issue, then you can use preg_replace [us3.php.net] to take out all of the functions that you do not want an admin to use. Since this function utilizes regular expressions, here's a tutorial [webmasterworld.com]. Good luck ;)
5:35 pm on June 19, 2006 (gmt 0)

Preferred Member

5+ Year Member

joined:Mar 11, 2006
posts:379
votes: 0


Thanks, ill stick to the preg ;)
10:16 am on June 20, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 28, 2002
posts:505
votes: 0


... I would not do this : taking code from a public text area and run it.
It is a security risk. You won't find ALL unwanted functions and features -- there are too many of them, and there are too many ways to exploit.

If you scan for "DROP " to prevent a DROP DATABASE, then how about this:
$abc = 'D';
$x = "base";
$abc .= 'R' . "OP";
$y = 'data' . $x;
$sql = $abc . " " . $y;

It is a can of worms.

Kind regards,
R.

12:17 pm on June 20, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


Good point Romeo. I wonder though, if mysql connections are closed before the 'admin content' is included into a file, they wouldn't have access to the database anyway unless they had their own account, in which case you can limit their privileges(preventing any malicious actions). Or even, have every db connection with an account that has these restrictions so that there is no way any db's or tables will be dropped. I don't know, just a thought ;)
5:06 pm on June 20, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 7, 2003
posts:1230
votes: 0


But... what can i do if an admin becomes "evil" and adds some kind of malicious code? for example: unlink() or a $sql = 'DROP database...' etc...

you can do nothing about that. even preg_replace won't help you, this will just lead to the situation making your code more complex and even more critical. there is no such routine to filter out "bad" commands. your computer just nows commands so it will execute commands. your computer does not judge about wethere these commands are good or bad.

since php is a very complex language with a lot of features, there is no such filter on specific executions would could classify as bad. there is even no way of classification i guess.

for your applikation i would suggest to use some other language which just has got alle the features needed for plugins and nothing more in addition.

--hakre

6:59 pm on June 20, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


Well...depending on how much restriction you want to give the admins, you can disable certain functions in php.ini file, assuming you aren't going to need them anywhere else.


; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions =
7:46 pm on June 20, 2006 (gmt 0)

Preferred Member

5+ Year Member

joined:Mar 11, 2006
posts:379
votes: 0


Thank you all for the tips and replies. I think the best way to go around this is to limit the modulo php codification to TOP LEVEL admin users only.