I just made a mistake in a PHP application I'm developing with WAMP Server.
My WAMP / WWW folder is inside my D:\ disk, where I also have my personal data. My app, due to a fail in generating a dynamic path, deleted all my music, my photos and other personal files I had.
I mean... WHAT? How was it possible? I will need a recovery tool to recover that data.
How can keep the PHP from touching anything outside it's folder in www so it does not happen again? It's a disaster.
Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself.
http://php.net/manual/en/ini.core.php#ini.open-basedir
Use open_basedir to restrict file operations to within specific directories, like this (in the website's VirtualHost file)...
php_admin_value open_basedir "C:/WampDeveloper/Temp/;C:/WampDeveloper/Websites/www.example.com/webroot/"
Though if you are deleteing via the command line or bat file (e.g., you are not using PHP file functions directly), the only way to fix this is to set Apache to run under a custom account that only has permissions set on WAMP's folder.
Related
I've tried searching about this online but found nothing decent. Here is my setup
NGINX serving php, javascript, css, html, etc
There is a folder inside web root that ONLY localhost should be able to access. (I've dealt with this permissions via location restriction in nginx directives)
How exactly should I set permissions for all folders that are not my web root? What should their permissions be? For example, /etc/nginx and /usr/whatever. What commands should I use?
And the content, properly said, which permissions should it have to allow only execution? I've read about 740 or something alike but what is "reading" a php file and "executing" a php file? How exactly should I put it?
And what about ownership of the content and users? How could I put this in root? Any important files I should change in php.ini to avoid malicious intent?
can php require any php file in my pc?
I set the apache www root folder to be d:\phpnow\htdocs, I thought that php can only require php files under this folder before ,such as require('laji/hello/a.php');
today I found it php can load any php file in my PC ,only need the full path.
how to prevent ? it should not safe for web server.
can php require any php file in my pc?
Any file that the user whom the PHP program runs as has permission to access. (That is to say, filesystem permissions).
how to prevent?
Limit the permissions on the file system or chroot the server so it runs in a sandboxed environment. (I've no idea if chrooting is possible on Windows)
it should not safe for web server.
It is perfectly safe unless either:
You allow untrusted users to install their own PHP programs on your PC (but see also What do you recommend for setting up a shared server with php)
You allow file paths on your filesystem to be selected via unfiltered user input
PHP can include any file on the server within its jailed limits, if any. In this case your computer is the server. It's not a security issue, since a remote server has no way of accessing your file system.
You can deny access to a directory using .htaccess file since you run php with Apache.
If you want to block direct access to the whole includes folder, you can put a .htaccess file (the file has only extension, and no filename. You may use notepad to type code and save it as ".htaccess" with quotes, called absolute naming) in that folder that contains;
deny from all
If you want to disable directory listing, here is a tutorial:
Directory listing in htaccess. Allow, Deny, Disable, Enable Directory Listing in .htaccess
and you may refer this Stack Overflow question .htaccess deny access to folder
Just Google for folder access deny using htaccess and you can find lots of stuff.
This question is related to another question I wrote:
Trouble using DOTNET from PHP.
Where I was using the DOTNET() function in PHP to call a DLL I had written.
I was able to get it working fine by running php.exe example.php from the command line (with the DLL's still in the PHP folder).
I moved the php file to an IIS 7 webserver folder on the same machine (leaving the DLLs in the same php folder), but I keep getting a 500 internal service error.
I've checked the server logs (in c:\inetput\logs\ and in c:\windows\temp\php53errors) but there doesn't seem to be any relevant information about what caused the error. I even tried to change the php.ini settings to get more error feedback, but that doesn't seem to help.
I can only guess that the issue may be related to:
that php file not having the proper permissions (my dll does some file reading/writing)
php can't find the DLLs
The actual error I get is:
The FastCGI process exited unexpectedly.
Any idea on how to debug this problem?
The problem here is almost certainly related to file permissions.
When you run php.exe from the command line you run as your own logged-in user. When running a PHP script from IIS, in response to an http request, php.exe runs as a different user. Depending on your version of Windows it could be
IUSR_machine - on IIS6 and prior
IUSR on IIS7 and later
These users need permissions on the php file to be executed.
Read more about it
On IIS7 and later I use a command-line tool called icacls.exe to set the permissions on directories or files that need to be read by IIS and the processes it starts (like php.exe). This security stuff applies to all IIS applications: PHP, ASPNET, ASP-classic, Python, and so on.
IIS also needs to be able to read static files, like .htm, .js, .css, .jpog, .png files and so on. You can set the same permissions for all of them: Read and Execute.
You can grant permissions directly to the user, like this:
icacls.exe YOUR-FILE-GOES-HERE /grant "NT AUTHORITY\IUSR:(RX)"
You can also grant permissions to the group, to which IUSR belongs, like this:
icacls.exe YOUR-FILE-HERE /grant "BUILTIN\IIS_IUSRS:(RX)"
In either case you may need to stop and restart IIS after setting file-level permissions.
If your .php script reads and writes other files or directories, then the same user needs pernissions on those other files and directories. If you need the .php script to be able to delete files, then you might want
icacls.exe YOUR-FILE-HERE /grant "BUILTIN\IIS_IUSRS:(F)"
...which grants full rights to the file.
You can grant permissions on an entire directory, too, specifying that all files created in that directory in the future will inherit the file-specific permissions set on the directory. For example, set the file perms for the directory, then copy a bunch of files into it, and all the files get the permissions from the parent. Do this with the OI and CI flags (those initials stand for "object-inherit" and "container-inherit").
icacls.exe DIRECTORY /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"
copy FILE1 DIRECTORY
copy FILE2 DIRECTORY
...
When I want to create a new vdir in IIS, to allow running PHP scripts, or ASPX or .JS (yes, ASP Classic) or Python or whatever, I do these steps:
appcmd.exe add app /site.name:"Default Web Site" /path:/vdirpath /physicalPath:c:\docroot
icacls.exe DIRECTORY /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"
Then I drop files into the directory, and they get the proper permissions.
Setting the ACL (access control list) on the directory will not change the ACL for the files that already exist in the directory. If you want to set permissions on the files that are already in the directory, you need to use icacls.exe on the particular files. icacls accepts wildcards, and it also has a /t switch that recurses.
I have a project where Red5 is recording videos. I need PHP to be able to access the videos and move them so they can be accessed by HTML.
How can I do this?
I found this post: Accessing files outside the document root with Apache
But it involves updating some file that was never specified. And I'm not sure it is a viable solution in this case anyway.
lee
PHP by default can already access files outside the web root, unless restricted with an open_basedir directive (or safe mode, but hope you're not in that cage).
It's normally a good practice to insert within a VirtualHost configuration an open_basedir restriction. You can specify multiple directories separated by : on Linux and ; on windows.
php_admin_value open_basedir /var/www/s/stage:/usr/share/php:/your/dir
To access those files either use an absolute path or a path relative to the position of the PHP file called. (So you'll have to ../ to reach levels above).
Also be sure that directories in which you want to write to are assigned to the webserver user and have write permission.
Scratching my head on this one, seems so basic.
I've got a PHP based content management system for our website written by a contractor. One feature is the ability to upload images to be displayed in various places on the website (like a product gallery). All such uploaded images are stored in a particular directory called "attachments".
drwxrwsr-x 4 www ftpusers 4096 Oct 10 14:47 attachments
As you can see I've got the setgid bit set on that dir so that any files written will have the group that users (like FTP user) who need access to those files will able to modify/overwrite them. I've set the umask for Apache so that it will write files as group writable.
When I try this with ANY user in the system by creating a new file in that directory, it correctly inherits the group of the parent. When a new file is created through PHP running in Apache, it always has the apache.apache ownership. Apache seems to be ignoring the setgid bit, which I didn't think it could do as this was done by the file system. Here is one file I uploaded:
-rw-rw-r-- 1 apache apache 30536 Oct 10 14:43 209
I can't test as the apache user directly as it doesn't have a login shell specified (for obvious security reasons).
I can get the same permissions capability by adding the ftpusers group to the apache group, but this doesn't seem wise from a security perspective.
I did find one thing that seemed like it might be related - php safe mode, which I've verified is off in /etc/php.ini, although I'm not positive I found the php.ini file that mod_php in apache is using. The php script is using move_uploaded_file(); as far as I can tell, nothing fancy with permissions is being done in the php code.
My best guess would be that this is an intentional limitations for security, but I can't find anything that seems to indicate that is the case.
Running CentOS 5.6 with Apache 2.2.17 and php 5.2.16.
Anyone have a clue?
When you upload a file it is created in the dir specified by the PHP's "upload_tmp_dir" setting. Then move_uploaded_file() moves it to your target dir. It maintains the permissions given to it upon creation and not those of the target directory you move the file to.
So you want the tmp dir to have the permissions you want, basically those you've given to your target dir. Then it will be created with the setgid having effect and the move will keep them.
IIRC "upload_tmp_dir" is not available in .htaccess so if you cannot change this setting or the permissions given to the dir then you will need to do it another way.