Monday, 19 February 2007

Use open_basedir to Prevent Attacks in PHP Applications

Stefan Esser, in a new entry over his blog, tries to dissolve the confusion regarding open_basedir function. He tries to clarify questions as to why he recommends enabling open_basedir and on the other hand calls it a solution flawed by design.

Stefan says that when looking at open_basedir one has to realize that it was designed to stop PHP scripts from accessing files outside the open_basedir restrictions. He says he had demonstrated in the past, that this is not safe and cannot be safe, because the design is unfixable flawed, due to third party libraries accessing the files themselves. To facilitate better understanding he demonstrates the flaws here.

He says, security vulnerabilities will always exist and therefore the server setup has to be hardened against attacks. He talks about Suhosin and says it exists because of the reality that there will always be vulnerable code. He says this is a concept that many people misunderstand. They believe it is possible to fix all security holes by teaching people, which is unrealistic according to him. He says, even the most skilled programmer can write insecure code.

Stefan says that Suhosin and maybe one day PHP itself can protect you from all remote includes. But he cautions that local includes are often also possible and in many situations they can be used to include code injected onto the server by some other means. He says log files and session storage files are good examples for this type of malfunctioning. On some systems the temporary filenames are also weak and therefore on those it is directly possible to include the temporary files uploaded with a POST upload, unless Suhosin is installed, he explains.

In this context, he says, open_basedir is a very powerful showstopper for includes attacks. For a remote attacker it is not possible to break out of the open_basedir restrictions if he is only able to inject the name of a file to be included. Therefore the number of files he will be able to include with such a local file include vulnerability is limited. When the open_basedir is set correctly it should not be possible to include for example logfiles. The attacks becomes a lot less dangerous due to this, he initiates.

Further he adds that there was only one known hole that allowed bypassing open_basedir/safe_mode from remote that was disclosed by the Hardened-PHP Project in 2004.