PHP security issueRSS

6 replies

Last post Feb 04, 2013 12:59 PM by Klaas de Vries

  • PHP security issue

    Feb 01, 2013 07:06 AM|Klaas de Vries|LINK

    Hope this is the correct forum for my question.

    I have installed PHP on a IIS7.5 Windows 2008R2 server shared hosting server. PHP works. But with a simple php script I can browse over the complete server. I can set open_basedir to the users home directory by add add name="PHP via FastCGI" path="*.php" verb="*" modules="FastCgiModule" scriptProcessor="C:\php54\php-cgi.exe|-d open_basedir=c:\inetpub\wwwroot\userwebsite" resourceType="Unspecified" /> into web.config. But the user can change the web.config so after change this he can again browse over the complete server. So this is not the way to do this.

    Can anyone tell me how I can hold the user in his own website directory?

  • Re: PHP security issue

    Feb 01, 2013 10:44 AM|JamieFurr|LINK

    Hi,

    It is a good practice to use FastCGI impersonation and limit the user accounts access to the file system using NTFS permissions.  You only want to give the user access to read and/or write to the files and directories that it actually needs. 

    This will keep the user from being able to get to other directories on your server.

    Here's a good article that explains in detail how to set this up.

    http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/secure-content-in-iis-through-impersonation

    And here is some other good information on securing PHP on IIS in general.

    http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/secure-your-infrastructure-and-php-applications

     

    Jamie Furr
    MCSA, Network +, A+

    Please 'Mark as Answer' if this post helps you.

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: PHP security issue

    Feb 02, 2013 06:44 AM|Klaas de Vries|LINK

    I have done this. But I can still browse over the c:\ drive. I think this can because the local group “Users” has read rights on de c: drive. And somehow other users own this right? The user which I use for the website is not a member off this group. So can you remove the local group “Users” right completely from the c: drive without any creating any problems? Or is this a other problem?
  • Re: PHP security issue

    Feb 03, 2013 12:16 PM|JamieFurr|LINK

    Hi,

    Typically you would add/create a new user specifically for this purpose and remove that user from the "Users" group.  Then you would explicitly assign ony the permissions that user requires to the files and directories for which the user needs access. 

    You will also need to set this user as the Anonymous User identity in IIS manager.  So that the new user is the user that is being impersonated.

     

    Jamie Furr
    MCSA, Network +, A+

    Please 'Mark as Answer' if this post helps you.

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: PHP security issue

    Feb 03, 2013 01:42 PM|Klaas de Vries|LINK

    Hi Jamie,

    Yes I have done all of this. But any authenticated user gets users right as far I can see. On the link you can see the image of the user group. No users are member. Only two groups are default on the member tab.

  • Re: PHP security issue

    Feb 03, 2013 03:58 PM|JamieFurr|LINK

    Hi,

    The easiest wat may be to deny the anonymous userthat you have created 'Full Control'  permisson at the root of C and stop inheriting the deny permission only at their "home" directory level where you want the user to have access.   This will ensure that they are denied permission anywhere above their "home" directory.

    Otherwise you could remove some of the default permissions at the root of C, but that may cause other undesireable results. 

    Jamie Furr
    MCSA, Network +, A+

    Please 'Mark as Answer' if this post helps you.

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: PHP security issue

    Feb 04, 2013 12:59 PM|Klaas de Vries|LINK

    Thanks, that was the trick