I'm running phpwiki 1.3.11p1 Sep, 18 2005. This morning an IP address from Russia uploaded a php script and started wandering around my server, apparently downloading stuff. I've disabled php uploads for now. Has anyone else had this problem? Do later versions fix it?
THANKS!
Harold
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the comments! The pregmatch fix suggested above still allows the planting of php3 files, which Apache interprets as php. The AddHandler fix also doesn't seem to do the job. More ideas? It SEEMS like we should prevent the upload of anything but specified extensions (for my case, pdf), AND get apache to send whatever is in this directory as is, with no interpretation.
THANKS!
Harold
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This can only happen if the file extension of the uploaded file
has an action handler of your servers setting.
php or inc for php files, pl for perl for example.
We disable those extensions and therefore disable those
action handlers for user data.
see your plugin/UpLoad.php code for the list of disabled extensions.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks! They uploaded a file ending in .php.3 which is not on the list, but apparently my Apache server treats as php. I'll dig through the Apache config. Other ideas?
THANKS!
Harold
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Please change your UpLoad check at line 135
from:
if (preg_match("/(." . join("|.", $this->disallowed_extensions) . ")\$/",
to:
if (preg_match("/(." . join("|.", $this->disallowed_extensions) . ")(.|\$)/",
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For now, I've disabled uploads in php.ini . I'm also having a problem with the phpwiki log. I get an error saying "Please ensure that the file '/var/log/WikiAccess.log' is writable, or redefine ACCESS_LOG in config/config.ini." The log exists, is owned by apache, and is readable and writable by the owner. What should permissions and the ownership of the log file be?
THANKS!
Harold
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OK, dumb mistake on the log file... Fixed that! I see in UpLoad.php that there's a "TODO" section on permitted file types. I'd like to just permit pdfs. Also, ideally, I'd like a "moderator approval" before any changes, including uploads, become visible.
Ideas?
Thanks!
Harold
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As a follow-up, do you know how deep into the directory structure they could have gotten with this php script? The script ended up in /home/user/public_html/WikiName/uploads . Could they get below public_html to see other user files?
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
One could have uploaded only into one dir, the upload dir, no subidrs above or below.
But this doesn't matter since an uploaded script will be executed and this script has access to everything which is open to the apache user.
rm -rf / i.e. will destroy some files.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm running phpwiki 1.3.11p1 Sep, 18 2005. This morning an IP address from Russia uploaded a php script and started wandering around my server, apparently downloading stuff. I've disabled php uploads for now. Has anyone else had this problem? Do later versions fix it?
THANKS!
Harold
Thanks for the comments! The pregmatch fix suggested above still allows the planting of php3 files, which Apache interprets as php. The AddHandler fix also doesn't seem to do the job. More ideas? It SEEMS like we should prevent the upload of anything but specified extensions (for my case, pdf), AND get apache to send whatever is in this directory as is, with no interpretation.
THANKS!
Harold
This can only happen if the file extension of the uploaded file
has an action handler of your servers setting.
php or inc for php files, pl for perl for example.
We disable those extensions and therefore disable those
action handlers for user data.
see your plugin/UpLoad.php code for the list of disabled extensions.
Thanks! They uploaded a file ending in .php.3 which is not on the list, but apparently my Apache server treats as php. I'll dig through the Apache config. Other ideas?
THANKS!
Harold
Oha! .php.{\d}
I will add a check for .php.* also. Big risc.
Please change your UpLoad check at line 135
from:
if (preg_match("/(." . join("|.", $this->disallowed_extensions) . ")\$/",
to:
if (preg_match("/(." . join("|.", $this->disallowed_extensions) . ")(.|\$)/",
For now, I've disabled uploads in php.ini . I'm also having a problem with the phpwiki log. I get an error saying "Please ensure that the file '/var/log/WikiAccess.log' is writable, or redefine ACCESS_LOG in config/config.ini." The log exists, is owned by apache, and is readable and writable by the owner. What should permissions and the ownership of the log file be?
THANKS!
Harold
OK, dumb mistake on the log file... Fixed that! I see in UpLoad.php that there's a "TODO" section on permitted file types. I'd like to just permit pdfs. Also, ideally, I'd like a "moderator approval" before any changes, including uploads, become visible.
Ideas?
Thanks!
Harold
Thanks! That seems to fix it. Any idea on how to make Apache never try to interpret stuff in that directory
Harold
As a follow-up, do you know how deep into the directory structure they could have gotten with this php script? The script ended up in /home/user/public_html/WikiName/uploads . Could they get below public_html to see other user files?
Thanks!
One could have uploaded only into one dir, the upload dir, no subidrs above or below.
But this doesn't matter since an uploaded script will be executed and this script has access to everything which is open to the apache user.
rm -rf / i.e. will destroy some files.
Someone on another list also suggested adding this to the .htaccess file in the upload directory:
AddHandler send-as-is *
This SHOULD keep Apache from ever trying to interpret anything in this directory.
Also, I REALLY APPRECIATE the quick fix to this problem!
Harold
I dont like this fix. This will disable inline images.
Fixing apache for this case cannot be done per .htaccess,
only per httpd.conf.