David
Sat Jul 19 03:16:22 CDT 2008
On Jul 18, 10:45=A0pm, A J Hawke <a...@lawlessland.co.uk> wrote:
> On Fri, 18 Jul 2008 18:29:47 -0700, David Wang wrote:
> > On Jul 18, 12:18=A0pm, A J Hawke <a...@lawlessland.co.uk> wrote:
> >> On Thu, 17 Jul 2008 23:26:45 -0700, David Wang wrote:
> >> > Absolutely -- this is a PHP issue and not an issue with Apache nor
> >> > IIS (ok, maybe other than letting PHP run on them... ;-) ).
>
> >> > With application platforms like ASP and PHP which do not sandbox
> >> > their IO operations, filesystem ACL (and hence authentication) is
> >> > critical to security. When you subsequently run the website as
> >> > anonymous, you are forced to allow anonymous user access (or else th=
e
> >> > apps don't work), but that then opens all sorts of security
> >> > vulnerability opportunities...
>
> >> > //David
> >> >
http://w3-4u.blogspot.com
> >> >
http://blogs.msdn.com/David.Wang
> >> > //
>
> >> > On Jul 17, 12:42=A0pm, A J Hawke <a...@lawlessland.co.uk> wrote:
> >> >> On Thu, 17 Jul 2008 14:38:19 +0100, Alex Clarke wrote:
> >> >> > Why not set up PHP with IIS?
>
> >> >> > Regards,
>
> >> >> > Alex
>
> >> >> > "Haseeb Khan" <mhaseebk...@gmail.com> wrote in message
> >> >> >news:0a3aefd8-5930-4317-
>
> >> bf8c-9132505c2...@34g2000hsh.googlegroups.com...
>
> >> >> >> Hi All,
>
> >> >> >> I have configured IIS on a Windows 2003 Hosting Server and it is
> >> >> >> currently listening to Port 80. I have also installed Apache
> >> >> >> which is running on Port 9091. I have already installed PHP
> >> >> >> Support for Apache which is working fine.
>
> >> >> >> Now, the scenario is that I want to host a Website on IIS but
> >> >> >> want to serve its content from Apache as they are all PHP Pages.
> >> >> >> In a perfect case, I would like to host my Website on IIS and
> >> >> >> host a Wordpress CMS on Apache. So, in the end, the pages
> >> >> >> displayed to the user will be loaded from Wordpress CMS hosted o=
n
> >> >> >> Apache Webserver but the user will pass through IIS first.
>
> >> >> >> Please provide me some starting information on the above
> >> >> >> mentioned scenario.
>
> >> >> >> Thanks and Regards,
>
> >> >> >> Muhammad Haseeb Khan
> >> >> >> mhaseebk...@gmail.com
>
> >> >> 1) Set up PHP with IIS
> >> >> 2) Dump IIS and use Apache
>
> >> >> Just watch the security - php and idiots don't match, it can run
> >> >> riot around a file system. The PHP script below, when uploaded to a
> >> >> server (Apache or IIS) running php, will show you if your security
> >> >> is broken. If you can run around the file systems, clicking and
> >> >> opening files, then you are looking for trouble. David Wang may be
> >> >> able to help you with getting it secure - but I think the stock
> >> >> response is 'this is not an IIS issue'.
>
> >> >> <?php
> >> >> echo "<pre>\n";
> >> >> if (ini_get('safe_mode'))
> >> >> {
> >> >> =A0 =A0 echo "[safe_mode enabled]\n\n";}
>
> >> >> else
> >> >> {
> >> >> =A0 =A0 echo "[safe_mode disabled]\n\n";}
>
> >> >> if (isset($_GET['dir']))
> >> >> {
> >> >> =A0 =A0 ls($_GET['dir']);}
>
> >> >> elseif (isset($_GET['file']))
> >> >> {
> >> >> =A0 =A0 cat($_GET['file']);}
>
> >> >> else
> >> >> {
> >> >> =A0 =A0 ls('/');}
>
> >> >> echo "</pre>\n";
>
> >> >> function ls($dir)
> >> >> {
> >> >> =A0 =A0 $handle =3D dir($dir);
> >> >> =A0 =A0 while ($filename =3D $handle->read())
> >> >> =A0 =A0 {
> >> >> =A0 =A0 =A0 =A0 $size =3D filesize("$dir$filename");
> >> >> =A0 =A0 =A0 =A0 if (is_dir("$dir$filename"))
> >> >> =A0 =A0 =A0 =A0 {
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 if (is_readable("$dir$filename"))
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 {
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 $line =3D str_pad($size, 15);
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 $line .=3D "<a href=3D\"{$_SERVER['=
PHP_SE
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 LF']}?dir=3D$dir
> >> >> $filename/\">$filename/</a>";
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 }
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 else
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 {
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 $line =3D str_pad($size, 15);
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 $line .=3D "$filename/";
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 }
> >> >> =A0 =A0 =A0 =A0 }
> >> >> =A0 =A0 =A0 =A0 else
> >> >> =A0 =A0 =A0 =A0 {
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 if (is_readable("$dir$filename"))
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 {
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 $line =3D str_pad($size, 15);
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 $line .=3D "<a
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 href=3D\"{$_SERVER['PHP_SELF']}?fil=
e=3D$dir
> >> >> $filename\">$filename</a>";
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 }
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 else
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 {
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 $line =3D str_pad($size, 15);
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 $line .=3D $filename;
> >> >> =A0 =A0 =A0 =A0 =A0 =A0 }
> >> >> =A0 =A0 =A0 =A0 }
> >> >> =A0 =A0 =A0 =A0 echo "$line\n";
> >> >> =A0 =A0 }
> >> >> =A0 =A0 $handle->close();
>
> >> >> }
>
> >> >> function cat($file)
> >> >> {
> >> >> =A0 =A0 ob_start();
> >> >> =A0 =A0 readfile($file);
> >> >> =A0 =A0 $contents =3D ob_get_contents();
> >> >> =A0 =A0 ob_clean();
> >> >> =A0 =A0 echo htmlentities($contents);
> >> >> =A0 =A0 return true;}
>
> >> >> ?>
>
> >> >> --
> >> >> Dog walks down the road. Gust of wind. Dog inside out. I've replace=
d
> >> >> my 'old joke' signature because a better man than me told me to ;-)=
-
> >> >> Hide quoted text -
>
> >> >> - Show quoted text -
>
> >> If I had 50p for every IIS server running 'asp upload' in a manor that
> >> abuse the file system, I wouldn't be sitting here in a wet England on
> >> usenet. I would be sat on a beech in the Bahamas on my laptop on usene=
t
> >> ;-)
>
> >> Actually David, I would rather like you to explain just how to secure
> >> PHP on IIS at some point. I gave up trying. Nothing I could do would
> >> stop it. I was able to sandbox it on Apache, but IIS - I gave up
> >> trying.
>
> >> --
> >> Dog walks down the road. Gust of wind. Dog inside out. I've replaced m=
y
> >> 'old joke' signature because a better man than me told me to ;-)- Hide
> >> quoted text -
>
> >> - Show quoted text -- Hide quoted text -
>
> >> - Show quoted text -
>
> > Ditto. But if I was in Bahama, I would not be on a laptop on usenet. :-
> > P
>
> > Actually, I'm curious how you can sandbox PHP on Apache -- in Windows o=
r
> > *nix? Because on Windows, PHP has the same issue regardless if it is
> > Apache or IIS. And my understanding on *nix is that the nobody account
> > is similar to the IUSR account on Windows, so the lockdown procedures
> > should be similar.
>
> > Regardless of the lockdown method, my prior comment about PHP/ASP and
> > lack of sandbox stands. Contrast it against .Net or Java, where the
> > application platform itself has security policies to sandbox code-
> > execution in all sorts of ways. PHP and ASP relies on native-code
> > components, which means that the authenticated user and filesystem ACL
> > is really the only thing that lock things down.
>
> > //David
> >
http://w3-4u.blogspot.com
> >
http://blogs.msdn.com/David.Wang
> > //
>
> AFAIR you can chroot things on *nix, which limits much that can be done.
> I won't confess that I have looked into it. What I do know is if I run
> the above script on a fresh apache under something like Ubuntu, I can
> browse the filesystem where I have access, but not read any of the files
> that don't belong to me. With the same script on IIS, I can browse the
> files and read them. I suspect I could overwrite them too.
>
> This may not seem much of an issue until you consider a multi-hosting
> environment where you have a number of business websites with
> configuration.php files containing passwords and user details to back end
> databases. It opens the door to data theft and all manner of destruction.
>
> There are a number of sites that say it is possible to secure php on IIS
> - but I've not found a way to do it and despite their claims, they don't
> give much away either. It is a solution that needs to be found and put
> here so others that search out google groups for solutions in years to
> come can find it.
>
> With this in mind, and knowing that David is an expert with IIS, perhaps
> we should put this one to bed? It's not really fair to rob IIS users of
> the wide range of free PHP applications that can run well with IIS if the
> security can be licked. So how about this becoming an 'unofficial' RFC on
> how to secure PHP on IIS!
>
> I will run by with what I've tried so far and see if you can spot what is
> missing.
>
> First of all PHP was installed as an ISAPI module. In 'Web Service
> Extensions' it is listed and allowed with the 'required files' pointing
> to c:/php5/php5isapi.dll - it does NOT appear as an isapi 'filter' in any
> of the website properties (but it seems that asp does).
>
> A separate application pool is set up for each website, but they all run
> as the 'IUSER' account. I tried to change this a number of times but
> found authentication boxes would come up when you tried to view the
> website and other nasties like 500 errors. After a few weeks of playing,
> I gave up.
>
> Where can we go next with it? It's not a domain controller, or even on a
> domain for that matter - it runs on an independent web hosting issue of
> server 2003. I'll load up a 120 day eval version on a virtual box and
> have a play with it if I can get any half sensible ideas rolling.
>
> --
> Dog walks down the road. Gust of wind. Dog inside out.
> I've replaced my 'old joke' signature because a better man than me told
> me to ;-)- Hide quoted text -
>
> - Show quoted text -
When the hosted application platform does not sandbox, it is currently
not possible at a fundamental level to do massive webhosting securely
and performantly on Windows. There are a bunch of things to consider
and compromise. I'll compose a blog entry about this and post it.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//