I am paranoid. However, I get paid to be paranoid so I guess it is ok. What you think is best Till probably will be the way to go. I trust your programming skills completely and I am sure your solution will be the best all around. Once this is up I can start hacking it and see what I get. Just checked php's online documentation and the second post ,under the escapseshellcmd, is actually from someone who is talking about the security risk of this command. His personal recomendation was the same as mine. "actualy never accept any command from external sources only proven built-in predefined commands should be executed." from the php documentation website: Code: Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. Semi old security vulnerability on window IIS with php 4.3.6 and older: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=108
You are right, we shall use when ever possible strict variable checking with a tightly limiting regex. Where this is not possible, we shall consider to write a replacement for escapeshellcmd function for ISPConfig. What did you think?
As far as rewriting escapeshellcmd goes, I think rewriting would be the best way to go. Escapeshellcmd's goal is to be a generic filter not an complete filter. We could write one method or class that would take two variables. The first variable would be the user input variable, second variable would be what filter we would like to run. We would need to do a switch statement or if-else statements with a default method that returns a null value. Code: ispconfigVariableFilter(String $variable, int $checkMethod) { if (checkMethod == 1) //filter method 1 //check to see if $variable only contains [a-z][A-Z] //if passes return $variable else return null else if (checkMethod == 2) //filter method 2 //check to see if $variable only contains [a-z][A-Z][0-9] //if passes return $variable else return null ... else return null; } This would make it easier to modify the filter if an exploit is found. Also, helps to keep security uniform. As far as writing filters goes I am a strong believe of stating what a variable can contain verses what it cannot. I know I say this all the time...sorry. I want to run this by a Black Hat(hacker) programmer and see what his opinion is also. I will post back hopefully soon.
I talked with my friend about the problem and had him read the entire thread. He is firmilar with ISP Config and has looked at some of the source code before, just not an indepth look. To add weight to his opinion, I would feel comfortable saying he could easily be one of the best "security" programmers in the US. Graduated from harvard, headhunted by google to be a security programmer(he declined), and all that goodness. The reply from my friend goes as follows: In response to rewriting escapseShellCmd: In response to Tills whitelist filter for web[id]: he said that it should do the trick. In simple terms, my friend didn't find any flaws with Tills filter for web[id].
Hi, thanks for your efforts. I will check where we can insert this validation system in the ISPConfig classes hierarchy. Till
Hi, I'm back from vacations, so I will be working again in the CMS Manager. Cheers. Edit: Oh, I wanted to know, How far are you from ISPConfig 3? Would this mean that I would have to do a lot of changes toy my script?
Welcome back ISPConfig 3 will still take some time and we wont drop ISPConfig 2 with the release of ISPConfig 3 so dont worry about that. I really dont know yet how much work it will be to port this feature
What happened with this phpnuke-ispconfig integration ? Somebody know if there is a opensource-project-ISPconfig3 integration already available ?
