HC panel & php directory listings

I need to know how you get around the HC Webpanel & phpnuke type of sites who both share /admin as address, what I mean is www.yourwebsite.com/admin is used to access Hosting Controller but php nuke aslo use the address of www.yourwebsite.com/admin.php to access the admin page of a phpnuke site ?

Secondly there is a php vulnerability that allows users to view contents of all drives & download anything from any drive aswell, the only way we found to secure directory browsing was to manualy add registry entrys to each website to that particular sites folder but why does HC not do this automaticaly for you, are you not aware of this or do you know an easier way ?

Specs
We are using Windows 2003, MYSQL, PHP & the latest Hosting controller.

To solve this issue you can simply change ¬HC Admin¬ virtual directory name from My Server--->IIS ---->Control Panel Access at reseller level which is applicable only for new sites.

Well at first place that vulnerbility is due to PHP so you should contact with them. Secondly please let us know how you want to add each website entry in registry. Please describe it in more detail. Thanx

Hello, my name¬s Steve, working for Ray@VSK. I¬ll tell the problem a bit more.

We discovered a couple months ago that people could have access to files/folders outside their home directories (of IIS) and do pretty much whatever they want (Which wasn¬t really nice to see).

I¬m sure you guys know about the ¬open_basedir¬ instruction of the php.ini. It enables you to lock PHP scripts in a certain folder and their subdirectories. But considering that you can only set that ¬once¬ in the INI, it enables users to see everything in other people¬s webhosting folders.

Lemme explain a bit more in deepness to make you understand.

D
|-resadmin (Reseller)
|-Client 1
| |-client1.com
| | |-www
| | |-db
| | |-resources
| |-client2.com
| |-www
| |-db
| |-resources
|-Client 2
| |-client21.com
| |-www
| |-db
| |-resources

Let¬s say I would put in the INI:

open_basedir="D:\resadmin" (Being the rightful choice in this situation)

Then, all the clients could browse each other¬s contents through the PHP script.

So I browsed websites, and found something:

http://ca.php.net/configuration.changes

Quoting:

"Changing PHP configuration via the Windows registry

When running PHP on Windows, the configuration values can be modified on a per-directory basis using the Windows registry. The configuration values are stored in the registry key HKLM\SOFTWARE\PHP\Per Directory Values, in the sub-keys corresponding to the path names. For example, configuration values for the directory c:\inetpub\wwwroot would be stored in the key HKLM\SOFTWARE\PHP\Per Directory Values\c\inetpub\wwwroot. The settings for the directory would be active for any script running from this directory or any subdirectory of it. The values under the key should have the name of the PHP configuration directive and the string value. PHP constants in the values are not parsed. However, only configuration values changeable in PHP_INI_USER can be set this way, PHP_INI_PERDIR values can not. "

That was my main concern. Would really be cool, and it¬s a grave security concern in Windows (When used with IIS), because there¬s 3 ways to fix that: 1- Run Apache (Nope.), 2- Use the registry or 3- Use the INI_set function in scripts (We can¬t force our clients to do that).

Tell me what you guys think :)

We¬ve checked and didn’t find any registry key for PHP configuration as you mentioned. Please let us know in detail about your requirements. Like to restrict a user named "webadmin" to run your perl/cgi script only from your folder "d:\webspace\resadmin\webadmin", what value are we supposed to write in the registry key on enabling php on any of "webadmin¬s" site. If this registry key exists by default or do we have to create it, as we don’t see any HKLM\Software\PHP registry key in registry, though we have php installed on our test machine. Thanx :)

Ok here¬s a step by step :)

1- Set the open_basedir in the ini to "C:\" as a test.

2- Create 1 website, go in the registry in HKLM/Software/PHP. You should have a value there for the ini path.

3- Add the Key "Per Directory Values" (Yes you actually have to add the keys yourself).

4- Now, you have to create an arborescence similar to your HD path. Let¬s say the website is in D:\resadmin\admin\www, here¬s what it should look like:

HKLM/Software/PHP/Per Directory Values/D/resadmin/admin/www, and in the ¬www¬ key, you should add a ¬string¬ value called ¬open_basedir¬, and setting it to "D:\resadmin\admin\www".

Here¬s to see if it has been done right.

Just create a php file like this:

phpinfo();
php?>

Run the phpinfo file before and after doing the modifications, look at the ¬open_basedir¬ value.

That¬s the only way that I found to restrict the PHP execution routines to only run from the client¬s directories.

If needed, I can post a .reg if you want.

P.S.: If you don¬t see the key in the registry, you have to create it.

Thank you very much for the detailed explaination. It would be appreciated if you can send sample.reg file on support@hostingcontroller.com with this thread¬s refrence.

All right, ill send you the reg file.

I¬m trying to find the script that made us discover the ¬flaw¬ , but our client since deleted the file (with reason).

I¬m gonna try to contact him.

Thank you very much for the file. I will let you know the results. :)

Hello, me again...

I know you guys issued a fix for this in the last hotfix... unfortunately, I have to say that it still didn¬T fix anything.... Well, it half-breaks and half-fixes. Here¬s what happens:

1- I created a whole new website, with PHP being enabled by default. You guys already told me that the security wouldn¬t be enabled by default (Which I really wonder why), that I had to go in scripting in their control panel to activate it.

So I did.

2- I went in their control panel to desactivate their PHP extensions, and reactivate them. My surprise: The PHP extensions refuse to reactivate.

I went to look a bit deeper in the server, and notices that HC created a key in the registry, but created no registry string for the security, so the website was still open for attack.

Please, I said this to your techs multiple times, if you need me to call you or talk to you on MSN, I will! I do not mind.... but this is a serious issue! Everyone¬s hosting controller server is at risk (Unless they have a very good security guy that knows alot about PHP)!

If I have to, I¬ll send proof of this vulnerability, it¬S very critical!

For now, I¬ll set the registry infos manually on our servers, but I¬ll be waiting eagerly for your answer :)

I haven¬t checked your option of ¬open_basedir¬ very carefully as of yet.
What I did find was that by default, user Everyone is added to practically all major places, as well as additional user groups which will allow you to roam about and view areas I also wouldn¬t want people to visit.
Slowly and carefully, I removed the those user/usergroups from the various directories in the server, and voilla, you can¬t go anywhere.
If you try to see C:\ you will hit a roadblock. If you try to view D:\ or ..\ anything outside of your homedirectory running with scripts like: webadmin.php that can be d/l from http://php.spb.ru/remview/ The file is called: phpRemoteView (if you can read russian) or if you want the file itself: http://php.spb.ru/remview/remview_2003_10_23.php
Just copy it into notepad and save it as a .php file .
Place the file in your www area and surf to it.
You will then see you can roam about the entire server, change drives, view directories and direcotries contents.
But,. not if you disable Everyone user group (and few others).
Just be careful. and I do mean be EXTRA careful not to accidently remove users that are needed as this my propagate through your entire server and you could find yourself in deep .
Oh.. and this removal of the Users and Users group will also help in cases of ASP or ASP.NET exploits, not just PHP.

-Alon.

Thanks for replying alon :)

Here¬s the dirty little secret about PHP... PHP seems to have access to anything that the logged in user has access to (In this case, Administrator). So you have to set the restrictions in PHP itself.

Man I really wish I kept a copy of the lil nifty script that one of my clients had, I was checking the NTFS directory permissions and the IUSR_ user had no access whatsoever. Only Administrator and System. Really alarmed me.

I can¬t comment on the situation where PHP was able to roam about.
I know that if you don¬t really check close enough,. you have Inherited permissions that if you ignore them, you may find that indeed some directories are not visible, yet others are open wide.
PHP by itself is not a user.
The IIS IUSR_ etc.. are users who can use PHP.
On my test server I¬ve disabled and removed many users and left just barebone permission settings.
I then tested Using the RemoteView script and couldn¬t go anywhere.
Even paths that I knew as server Administrator were blocked and didn¬t reveal anything.
That¬s not to say that I¬ve covered all bases.
It does mean that I¬ve covered the areas that I know of and to the best of my knowledge.
If you have a little exploit script like the RemoteView available, it would prove very usefull to verify that other areas are addressed.

-Alon.

@Steve@VSK

The PHP is being set fine locally on our machines with hotfix 2.4 and the registry entry for open_basedir is also being created just that way you asked. There is no reason that PHP would refuse to activate on your machine unless there is no qouta available or there would be some descriptive error on the panel.

Don¬t you worry in coming hotfix 2.5 we will automatically enable PHP on new domain creation if that domain has PHP quota in its purchased plan.

Is there a way that I can chat to you by phone or anything? Now everytime I create a website, I have to go enable PHP manually by IIS, because HC can¬t enable it by itself anymore lol

What is your exact PHP version? The latest supported PHP version can be downloaded from this URL. You can chat with us through our MSN ID support@hostingcontroller.com. My personal ID is abdullah@hostingcontroller.com.