PHP {in}security


Published on

Short presentation on techniques for protecting against vulnerabilities in commonly available PHP packages using a combination of Apache + FastCGI + suEXEC + chroot + mod_security2

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PHP {in}security

  1. 1. PHP {in}security Michael Clark <michael at metaparadigm dot com>
  2. 2. Presentation Overview <ul><li>PHP {in}security
  3. 3. php.ini
  4. 4. FastCGI
  5. 5. suEXEC
  6. 6. chroot jail
  7. 7. readonly || noexec
  8. 8. mod_security2
  9. 9. Conclusion </li></ul>
  10. 10. PHP {in}security <ul><li>Many vulnerabilities in exist common PHP software packages
  11. 11. How do we protect against these vulnerabilities
  12. 12. Need to provide an environment with minimal trust for PHP applications
  13. 13. Only allow a minimal set of essential permissions in a hardened environment
  14. 14. Need to use privilege separation and chroot jails </li></ul>
  15. 15. php.ini <ul><li>open_basedir = /var/www/mysite </li><ul><li>Only allow open to essential directories. </li></ul><li>session.save_path = /var/tmp/php-sessions </li><ul><li>Don't allow scripts to read sessions and isolate from /tmp. </li></ul><li>upload_tmp_dir = /var/www/mysite/tmp </li><ul><li>Isolate upload tmp files from /tmp. </li></ul><li>display_errors = 0 expose_php = 0 </li><ul><li>Avoid information leaks. </li></ul><li>allow_url_fopen = 0 allow_url_include = 0 </li><ul><li>Avoid commonly exploited vulnerabilities. </li></ul></ul>
  16. 16. FastCGI <ul><li>mod_fcgi or mod_fastcgi? </li><ul><li>mod_fcgi was adopted as an official Apache project. </li></ul><li>Process Separation </li><ul><li>PHP no longer runs inside of the webserver as with default Apache and mod_php.
  17. 17. Allows more control over PHP when it is running as a separate process. </li></ul><li>Apache Worker MPM </li><ul><li>Threaded MPM in Apache 2.x can't be used with mod_php as PHP is not fully thread safe.
  18. 18. By-product of FastCGI is that worker MPM can now be used.
  19. 19. Ability for Apache to handle more connections. </li></ul></ul>
  20. 20. suEXEC <ul><li>Apache suEXEC augments mod_fcgi </li><ul><li>Allow CGI and FastCGI process to be started as a different user to the web server. </li></ul><li>Privilege Separation </li><ul><li>Run PHP FastCGI process as a user that does not have write access to the web site directories.
  21. 21. Apache can update these directories e.g. mod_dav but PHP can no longer has write perms on these same directories. </li></ul><li>More than one user per vhost </li><ul><li>Apache Hack – create special internal vhosts for each user and then use proxy rewrite rules. </li><ul><li>RewriteRule /cgi-bin/(.*) http://cgi-bin-user/cgi-bin/$1 [P] </li></ul></ul></ul>
  22. 22. Chroot jail <ul><li>Patch suEXEC to chroot </li><ul><li>Be very careful changing suEXEC as there are many security checks that must be observed.
  23. 23. Patch available from “Apache Security” author 'Ivan Ristic' </li><ul><li> </li></ul></ul><li>Combine with FastCGI and bind mounts </li><ul><li>Create minimal chroot jail for PHP </li><ul><li>only executable is php-cgi
  24. 24. Isolate from other services on the same box </li></ul><li>Bind mount website directory </li></ul></ul>
  25. 25. readonly || noexec <ul><li>Mount PHP chroot image readonly </li><ul><li>Readonly loop mount is a nice easy way to make PHP jail
  26. 26. Can't write in dirs that can be exec'ed </li></ul><li>Mount and writables noexec </li><ul><li>Bind mount /var/www/mysite into jail with noexec
  27. 27. Can't exec in dirs that can be written to </li></ul><li>No other interpreters in PHP chroot jail </li><ul><li>Can't “perl /tmp/” or “sh /tmp/” </li></ul><li>Start with zero write access for PHP </li><ul><li>Add writable directories on an as needed basis
  28. 28. Dont include from any writable dirs </li></ul></ul>
  29. 29. mod_security2 <ul><li>Web Application firewall for Apache
  30. 30. Detects common exploits within Apache before being passed to PHP or other web apps: </li><ul><li>Avoids known weaknesses and vulnerabilities.
  31. 31. Detects special characters in URLs and inspects POST content type and payload.
  32. 32. Detects common injection patterns and exploits.
  33. 33. Adds additional logging (Full Request Headers).
  34. 34. Flexible extensible rules. </li></ul></ul>
  35. 35. Conclusion <ul><li>Many PHP applications available with unknown trust and security
  36. 36. We can't always audit and fix all of them
  37. 37. We can run them in a minimally trusted sandbox
  38. 38. Default Apache + mod_php is not very secure </li><ul><li>Vulnerabilities in many well known PHP applications. </li></ul><li>FastCGI + suEXEC + chroot + PHP + (readonly || noexec) + mod_security2 </li><ul><li>Provides a minimally trusted environment for running untrusted PHP applications. </li></ul><li>To do – SELinux, Hardened PHP, Suhosin </li></ul>