PHP/MySQL security problem

Question

I have a PHP/MySQL website on 000webhost (http://www.boisvert.me.uk; but it's down for review at the moment) and I'm concerned about its security. What I'm trying to do will make any site vulnerable; it's the PHP equivalent of giving sharp cissors to children. I have various ideas for minimising the site's vulnerability, but more advice would be welcome.

In particular, there are two scripts:

• An upload script. Its purpose is to allow a registered site user to upload certain XML files (tutorials). Obviously, to do that, a folder on the site gives write access to visitors. I don't like that, but I don't see a way around, I can add checks to the script (type, size) to ensure that files uploaded are limited to XML and some images. Are there other points I could improve this with?

• Script 2 is an interpreter for PHP - a user can enter PHP in a form and it will execute (without saving). I want users to be allowed to try database access, so a crude string replacement ensures that I don't need to give away MySQL access information. But an attacker could use this interpreter to obtain access to the files area and upload unwelcome material. My solution would be to place the interpreter in a separate domain, where no files can be uploaded.

Any advice to improve on this is welcome, bar "don't do it". I know it's dangerous. So is crossing the street. Thanks for your help.

Answer 1

First point is covered by previous answers (and probably many times elsewhere on this site)

For the second point, I'm going to make some suggestions if you feel you simply must have this. You could compile your own PHP binary, excluding all options that you don't expect your users to need (perhaps omit everything except MySQL). You should then create a php.ini file which disables any functions that are potentially dangerous (use the disable_functions config option for this - see other answers). Limit memory usage and CPU time to sensible numbers (for the simple scripts you want to allow users to run). Now we should be able to run all of that in a chrooted environment using something like system("chroot /path/to/secure/dir ./php tempfile.php");. /path/to/secure/dir should be directory to which you write the users PHP script into a temporary file. It should contain the PHP executable and the secure php.ini file. These files and the secure directory should be owned by a user other than the one running the script (particularly the PHP executable and php.ini file) and not writeable by anyone. The secure directory should be outside of the web root.

Now, I'm not going to pretend that I've thought of everything, but hopefully these ideas could be the basis of a secure environment for you.

Answer 2

Well, Script 2 definitely is a no go in my eyes. Unless you are completely sure you can avoid ANY kind of script you don't want to have ran on your server (and believe me, that's simply not done). I would get rid of this idea. In that case you'd more likely will be scripting this and store the code untill it has been reviewed by you and then the user can execute it.

I'm not sure what access you want to give them to the database, but perhaps you could control it a little more by creating some kind of form saying:

(1) give me data from [table]
(2) based on these critera
(3) from startdate to enddate

Not sure if that fit's your needs.. but if it's just databaseaccess you want to give them, doing it using a search function is far more controleable then letting them execute pieces of PHP code.

Your first question is only a risk if you didn't secure it well enough. Opening a folder for uploads isn't the biggest risk, no-one can just put files in there. The risk is a bad security which allows mallicious files to be uploaded (PHP files for example) that can be run afterwards. So besides checking for filetype, fileextension, filesize, fileheaders etc. you might also want to put these files OUTSIDE your website root folder. If they are just images and XML files you can write your PHP script in a way it get the filecontents (file_get_contents) and create an xml/image file based on what it has read.