[closed] ISPConfig fresh install = security problem

Discussion in 'Installation/Configuration' started by NicoduWeb, Jun 21, 2016.

  1. NicoduWeb

    NicoduWeb New Member

    Hello here,

    It seems just after a fresh install ISPCONFIG using this https://www.howtoforge.com/perfect-server-debian-wheezy-apache2-bind-dovecot-ispconfig-3, anyone who can put a php file can read all file on the server ?

    This php code will create a symlink to root of the server ( i mean the the real "/" of the server)

    Can i post the php code to show you the problem (only 1 line) ?

    Is it a normal situation ?
    How can we secure this ?

    My server has been powned by this method just few day, this how i found this.
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I don't know if there's any policy otherwise, but I'd sure think posting/discussing is a good thing. For vulnerabilities in ispconfig it's nice to disclose it in private so a fix can be made before the vulnerability is public, but this issue will be pretty heavily dependent on your configuration, or possibly an issue in design, but not in ispconfig code directly.

    The first thing you should look at is your open_basedir setting, yours is probably unset or includes '.' (working directory of the script). http://php.net/manual/en/ini.core.php#ini.open-basedir
     
  3. NicoduWeb

    NicoduWeb New Member

    Thank you for your answer
    Debian 7 perfect server or Debian 8 perfect server = same problem

    Maybe FollowSymLinks is the problem ...

    This is open-basedir generate by ispconfig : for a vulnerable website (local website site1.vi)

    Code:
    /var/www/clients/client0/web1/web:
    /var/www/clients/client0/web1/private:
    /var/www/clients/client0/web1/tmp:
    /var/www/site1.vi/web:
    /srv/www/site1.vi/web:
    /usr/share/php5:
    /usr/share/php:
    /tmp:
    /usr/share/phpmyadmin:
    /etc/phpmyadmin:
    /var/lib/phpmyadmin
     
    Last edited: Jun 21, 2016
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Curious, I'd like to see that "one line" of code used to hack your server :). php should respect that open_basedir, unless it's being overridden somewhere, eg. .htaccess. What php mode are you using (eg. fastcgi or php-fpm)? Try creating a simple phpinfo script in the same directory the hack ran from and see what it shows for open_basedir.
     
  5. NicoduWeb

    NicoduWeb New Member

    I've tried Fast-CGI and PHP-FPM = Same thing ....
    I've upload my phpinfo (phpinfo.pdf)
     

    Attached Files:

  6. till

    till Super Moderator Staff Member ISPConfig Developer

    A symlink does not mean that you have permission to view the target on Linux. A symlink is just a special file type. Symlinks can also be in a simple tar file that you can upload into a folder with your FTP account and extract it there, so the existence or the ability of a symlink is not PHP dependant or related.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess there is just a misunderstanding of Linux file permissions (global read or non global read) and not a security problem, you say that you can read all files which I dont think as this would mean that the Oermission system in Linux kernel is broken You can easily test this:

    1) Create a symlink to the file /etc/shadow in your website.
    2) try to read the content of this file from within PHP in this website.

    I'm pretty sure that you get a access denied which shows that the Linux Permissions are working as expected.
     
  8. NicoduWeb

    NicoduWeb New Member

    ok but in this case, i think anyone who is able to write a php file can read /etc/passwd ... and all other files on the server ...

    You are true, symlink function can't access to this file.

    But i'm not talking exactly about symlink function here.

    It's hard to talk about something without giving a name ... and as you can read english is not my first language
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    This can be easily tested as shown in post #7.

    If there is a security problem, then you can read the content of the /etc/shadow file from PHP. If there is no security problem, then you can not read this file.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    This des not matter how you try to access it from your website, you will never be able to access protected files like /etc/shadow from within a website.

    You can send me your code by PM but I'm absolutely sure that you will not be able to access the content of a protected root file.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Thank you for sending the code, the code itself is just a normal remote shell that uses system, exec etc. calls, so nothing special. The PHP open_basedir gets applied only to php functions that open a file and not to system execution commands. These system calls are not able to read any secure files like the shadow file, they can only read world readable files and files that are woned by the user or group of the infected site. No other files can be read. So there is no security issue relazed to ISPConfig here, in the opposite, ispconfig protected you with its per website user isolation that other sites yould get infected.

    The issue that you have to find is how the hacker uploaded the file, this is probably a hole in the cms that you installed in this website, the typical candidates here are worpress, joomla etc. that are not 100% updated or use vulnerable plugins.

    If your cms dont need exec, system, passthru etc., then you can add these functions in /etc/php5/cgi/php.ini and /etc/php5/fpm/php.ini and restart apache and php-fpm. We don't do this in the default setup as some cms will stop working then.
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    A point of clarification, it sounds like your website/webserver was compromised (ie. anything the webserver user can read/do), not the overall server itself. Compromised sites are quite common, but escaping from the user permissions that your website runs as should not happen, and is much more serious.
     
  13. NicoduWeb

    NicoduWeb New Member

    Ok thank you.
    I've trace them and i know how approximately they upload file. (old cms ...)

    Happy to read it's less important that i was thinking.
    Thank you for your good job ;)
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    There was no escape from user permissions here as far as I can see, he could only see the world readable files and folders but he can not read files that are not readable for his web user like /etc/shadow. So the permission system is intact and the server was not compromised.
     

Share This Page