[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Executing Scripts

Posted on 2004-11-27
17
Medium Priority
?
202 Views
Last Modified: 2008-03-06
Hi,
I would like to allow users to execute scripts on my server.  I want to make it as safe as possible (yes i know i shouldn't allow it but..) .  The only possibility I can think of is regex'ing the file for certain functions  but this seems kind of hit or miss.  Is there anyway to stop any actions it would do on the system?  Besides opening and closing 2 certain files?
0
Comment
Question by:Snow-Storm
  • 4
  • 4
  • 4
  • +1
15 Comments
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12692649
Can you ellaborate on exactly what you want to do snow, it is not very clear as to what you want to do.

php scripts can be executed if someone points to them via their browser I assume this is what you mean.
0
 
LVL 1

Author Comment

by:Snow-Storm
ID: 12692984
I want to run a  user uploaded script and make sure it doesn't try to attack my server.
0
 

Expert Comment

by:SpidermanZ
ID: 12693850
maybe you can try to use include or require functions
example
include ("test.php");
require ("test.php");
:)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Expert Comment

by:SpidermanZ
ID: 12693860
more of it,
if you dont want the php file to be seen by others, try use random number for file name. the file then store in data table,
each time call to that record, file name retrieve from database table. know what i means??
by using include and require, user will not see your file name.
:)
0
 

Expert Comment

by:SpidermanZ
ID: 12694213
<b>result</b>
<br>
<table border="1" height="100" width="100"><tr><td>
<?php
   $handle = fopen('test.php', 'a'); // try random the file name
   fwrite($handle, $myscript);
   fclose($handle);
   require ('test.php');
?>
</td></tr></table>
<br>
<b>input</b>
<form method="post">
<textarea name="myscript"></textarea>
<input type="submit">
</form>

try this script
em.. i still not fell that is save for client to execute the php script
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12695350
The answer should actually be,

Do not allow your clients/customer to upload scripts unless you know them personally, and even if you do know then you want to create an administration area whereby they have to login with a username and password in order to upload files.  

The other thing someone could create a script to delete your database if your not careful and I would personally lock everything down with passwords so that it makes them impossible to do this unless they spend about 100 years trying to break passwords.

<?

#Put all the variables, includes and all other info required to to make sure you clien tis logged in.  

#Create a path where you want the files to be put to
$uploadpath = /home/user/phpscripts

  if(empty($_POST['usernamee']) || empty($_POST['script'])) {

echo "Please enter a user name and select a script to upload";

?>
<form action="<? $PHP_SELF ?>" method="post" enctype="multipart/form-data" name="form1">
        <table>
          <tr>
            <td>Ride <font face="Arial, Helvetica, sans-serif">name:</font></td>
            <td><input type="text" name="username"></td>
          </tr>
          <tr><td>Script:</td><td><input type="file" name="script"></td></tr>
          <tr>
            <td>&nbsp;</td>
            <td><input type="submit" name="Submit" value="Submit"></td>
          </tr>
        </table>
</form

<?
}else{

//Upload the file to the uploadpath
if (!move_uploaded_file($_FILES['script']['tmp_name'], $uploadpath.basename($_FILES['script']['name']))) die("Could not Move uploaded file");
echo "Thank you your file has been upload, the administration of the site will have to create execution permissions on the file by doing "chmod 777 scriptname.php" from inside the directory of where it lies";

exit;

}
?>

Notice the comment about chmod 777 scriptname.php   You can do these files one by one manually of simply specify the whole folder instead chmod 777 foldername

Read this on permissions of files under unix http://www.phpdebutant.com/articles/CHMOD-777.php

Anyway hope this helps you

pjcrooks2000
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 12697432
Don't do that - there's no reason to assign execute permissions to a PHP file - you don't need it for apache to execute the script, and it opens up a big fat security hole if you do. After all, file extensions mean nothing on unix, so the file may contain something nasty like:

#! /bin/sh
rm -rf /var/www/html

And assigning execute permissions may allow the script to be run as a CGI. Nice. You may have other server settings that mitigate this hole, but it's not a good place to start.

Using 777 permissions on a folder is an entirely different matter, one which that article fails to cover. You should not need to use chmod at all to deal with this setup.

No-one's mentioned PHP's safe mode, which is the normal way to deal with this situation:

http://www.php.net/manual/en/features.safe-mode.php

However, this is still only a limited range of security.
0
 
LVL 1

Author Comment

by:Snow-Storm
ID: 12702078
I do have safe mode turned on, and I am considering reg-ex'ing the file for certain functions (like rm).  I heard somewhere there was a way to check every access/request/function sent to the server by the script to make sure isn't trying to attack anything.   I've got my upload page set up, and was planning on executing scripts via a exec(php -q /script/) command, is this not a good idea?
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12702135
I'm not gonna argue with Squinky :)
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 12703970
Making a list of list of every possible function that could form part of an attack is next to impossible - how can you distinguish between a deliberate local DoS attack and a script that just happens to be legitimately CPU or network heavy? Pllus it's very easy to hide what commands are really doing, for example:

$imagedata = 'dW5saW5rKCJzb21ldml0YWxmaWxlLmh0bWwiKTs=';
header('Content-type: image/gif');
print eval(base64_decode($imagedata));

Which at first glance looks like it might be delivering an image, when in fact it's deleting files. Admittedly, eval would be pretty high on your list of banned functions, along with system, exec and friends. Safe mode has a list of allowed or banned functions that you can set.

A good tactic is to not allow users to see/write to anything outside their own directories (chroot them). That helps defend your local files quite a bit, however, it doesn't help you at all against local DoS (it's easy to saturate a local database server), attacks on remote sites, filling up /tmp, or introducing XSS attacks via the user's own scripts (their own scripts could get hacked too). But if you lock everything down too much, it starts to become useless. I guess it might be useful if there was a PHP extension that allowed you to throttle CPU usage per user.

It's not easy to do - I even did it to myself recently, managing to inadvertently write a script that submitted about 50,000 queries to MySQL and fill up /tmp at the same time!

Essentially, every ISP takes a risk when allowing scripting. I don't think you can really defend too well against someone determined to make your life difficult, though as an ISP, you can always kick them out.
0
 
LVL 1

Author Comment

by:Snow-Storm
ID: 12711496
Hmm, couldn't I allow only a certain execution time, like 30 seconds? And void any changes their script tries to make?  How could I limit the amount of time and memory the script can use?

Thanks
0
 

Expert Comment

by:SpidermanZ
ID: 12712010
www.domain.com/index.php
www.domain.com/subfolder/user/index.php
if i am right, the index.php on subfolder will not have access right to the main folder.
i think it will be safe right?
if is right, try save the script to file in subfolder, and then create a link to the file
<a href="www.domain.com/subfolder/user/index.php">RUN</a>
:)
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 12714628
You can set timeouts in php.ini, and you can probably set mysql timeouts too. Voiding changes that a script does is pretty impossible - the overhead of tracking what it does would probably be worse than taking any damage!

SpidermanZ, there's no particular reason that you wouldn't be able to access stuff in a folder above the user's one unless it had been deliberately blocked e.g. this:

www.domain.com/subfolder/user/../../index.php

is the same place as www.domain.com/index.php.

This is what chroot (change root directory) is for - it would mean that although the users files are kept deep down in www.domain.com/subfolder/user/, they could be chrooted there, naming that it looks like their files are being served from /, which also denies them access to any higher directory levels.
0
 
LVL 1

Author Comment

by:Snow-Storm
ID: 12721729
Alright I guess I'll try to chroot it, but if their script has ini_set they can override a timeout value I set can't they?
0
 
LVL 25

Accepted Solution

by:
Marcus Bointon earned 200 total points
ID: 12724731
From the php docs http://www.php.net/manual/en/ref.info.php#ini.max-execution-time:

max_execution_time integer

This sets the maximum time in seconds a script is allowed to  run before it is terminated by the parser. This helps  prevent poorly written scripts from tying up the server. The  default setting is 30.

The maximum execution time is not affected by system calls,  stream operations etc. Please see the  set_time_limit() function for more  details.

You can not change this setting with ini_set() when  running in safe mode. The only workaround is to turn off safe mode or  by changing the time limit in the php.ini.

Your webserver can have other timeouts. E.g. Apache has  Timeout directive, IIS has CGI timeout function, both  default to 300 seconds. See the webserver documentation for meaning of it.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses
Course of the Month19 days, 17 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question