Relationship Graph View Issue Dependency Graph
related to child of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
14621Feature requests[All Projects] Securitypublic2019-04-12 12:49
Reporterollehar Assigned To 
PrioritynoneSeverityfeature 
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary14621: Hardening PHP during installation
Description

During the installation, warnings should be shown if PHP is in a insecure setting, e.g. if open_basedir is empty.

TagsNo tags attached.

Activities

ollehar

ollehar

2019-03-08 22:54

administrator   ~50873

@DenisChenu Any thoughts?

ollehar

ollehar

2019-03-08 22:58

administrator   ~50874

Last edited: 2019-03-08 23:51

View 2 revisions

open_basedir also need upload_tmp_dir and session.save_path and /dev/urandom.

Other tips: https://howtogetonline.com/how-to-harden-your-php-for-better-security.php

Argument against configuration: https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful

DenisChenu

DenisChenu

2019-03-08 23:38

developer   ~50875

Last edited: 2019-03-08 23:38

View 2 revisions

I have a lot of system where open_basedir is badly set, for example : path:/usr/php;. but open_basedir to . only.

I'm totally unsure if we need to try to fix server security issue. Do you know a free tool who check that ?

Eles :
allow_url_fopen : we need ot for auto update , no?
max_execution_time : we already set to 1200 is really boggest then we really need : WE must fix this and ask it only for stats (it's done for stats …)
expose_php: lol : security by hidding, let me laugh …
max_input_vars : default 1000 is broken for LimeSurvey for more tha 300 answers or some arrau/text : we must try to fix it and remove undeeded POSTED var.
display_errors : debug :0 => OK
open_basedir : on my .me : /home/www/demo.sondages.me/htdocs:/home/www/share/:/tmp:/home/www/demo.sondages.me/tmp:/home/www/demo.sondages.me/config:/home/www/share:/usr/share/php:/usr/share/pear : you say it's OK or not (same user for all www) ?, on .pro : no value : apache_mpm_itk : each server with their own user : user don't have rights on /etc for example : you say it's OK ? You can't : no value is unsecure BUT : mpm_itk do the secure here.

ollehar

ollehar

2019-03-08 23:56

administrator   ~50879

Default settings on /etc/passwd is -rw-r--r--, which means readable by all users, including a web user like www-data.

DenisChenu

DenisChenu

2019-03-09 00:40

developer   ~50883

Right, but we must disallow reading files in open_basedir too : application/config/config.php is a good example.
Think this can fix issue is a bad solution : the last security issue is an exemple : LimeSurvey dev must care of ALL files reading before adding it …

DenisChenu

DenisChenu

2019-03-12 12:11

developer   ~50916

Last edited: 2019-03-12 12:14

View 2 revisions

About open_base_dir : https://www.limesurvey.org/forum/can-i-do-this-with-limesurvey/117910-excel-error-in-statistical-output-format#181576
:)

set_include_path("."); work with limesurvey, but maybe not what user want :)

Else on some server : ini_set can be used

DenisChenu

DenisChenu

2019-03-12 12:19

developer   ~50917

Last edited: 2019-03-12 12:20

View 4 revisions

set_include_path('.');
ini_set('open_basedir',dirname(dirname(dirname(__FILE__))));

in config.php

Then maybe can update default config.php to

@set_include_path('.');
@ini_set('open_basedir',dirname(dirname(dirname(__FILE__))));
DenisChenu

DenisChenu

2019-03-12 15:40

developer   ~50925

@ollehar : i attch some security issue to this one, because i think Limesurvey must be "Secure proof" before give advice …

ollehar

ollehar

2019-03-12 15:44

administrator   ~50926

True. I was discussing on the ##php IRC channel about it, too. There's really no good way to check if your server is secure on the PHP level. You can check if the web user has access to this or that file, and recommend that it shouldn't, but there's no way to check if you are running in a secure container, jail or virtual machine.

"container > chroot > open_basedir"

ollehar

ollehar

2019-03-12 16:32

administrator   ~50929

This script could maybe be used in the security tab? "Extra PHP security check". https://github.com/sektioneins/pcc

DenisChenu

DenisChenu

2019-03-12 17:48

developer   ~50932

See https://github.com/sektioneins/pcc/blob/master/phpconfigcheck.php#L162
The issue is here too : create a script to check security can show open door.

And super admin user are not always the server manager …

DenisChenu

DenisChenu

2019-03-13 08:47

developer   ~50939

Last edited: 2019-03-13 09:00

View 2 revisions

Found an issue about set_include_path(".");

$ php application/commands/console.php 
PHP Error[2]: include(DbConnection.php): failed to open stream: No such file or directory
    in file /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php at line 463
#0 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(463): include()
#1 unknown(0): autoload()
#2 unknown(0): spl_autoload_call()
#3 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(310): class_exists()
#4 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(204): import()
#5 /mnt/data/shnoulle/nginx/www/master/framework/base/CModule.php(393): createComponent()
#6 /mnt/data/shnoulle/nginx/www/master/framework/base/CModule.php(103): ConsoleApplication->getComponent()
#7 /mnt/data/shnoulle/nginx/www/master/application/core/ConsoleApplication.php(63): ConsoleApplication->__get()
#8 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(132): ConsoleApplication->__construct()
#9 /mnt/data/shnoulle/nginx/www/master/application/commands/console.php(56): createApplication()

Fixed with

if(!defined('YII_PATH')) {
    set_include_path('.');
    ini_set('open_basedir',dirname(dirname(dirname(__FILE__))));
}
DenisChenu

DenisChenu

2019-03-19 08:50

developer   ~51046

Update the fix

if(!defined('YII_PATH')) {
    $tmpdir = ini_get('upload_tmp_dir') ? ini_get('upload_tmp_dir') : sys_get_temp_dir();
    set_include_path('.');
    ini_set('open_basedir',$tmpdir.PATH_SEPARATOR.dirname(dirname(dirname(__FILE__))));
}
DenisChenu

DenisChenu

2019-03-19 08:52

developer   ~51047

Last edited: 2019-03-19 08:54

View 2 revisions

@ollehar : maybe we can update the default generated config.php file when install ?
And

  1. Set the runtimepath
  2. Set the session cookie name (random string start by LIMESURVEY_)
  3. Set the open_base_dir

Maybe this 3 can have option when install. Then we secure new installation by default ?
Your opinion ?

PS : 1st step is to have a config-generation.php file : most easy to update, with some replacement to do ( [REPLACEMENT] ? )

DenisChenu

DenisChenu

2019-03-27 12:19

developer   ~51163

About security, maybe adding (when install).

  1. Create upload/survey/1/ directory
  2. Created a upload/survey/1/test.php who do an echo 'executed'
  3. Call in ajax the php file
  4. If receive another think than a 4XX error : send an warning
  5. If receive “executed” send a danger

And for fu_file
Do the same things with a 1x1px image.

DenisChenu

DenisChenu

2019-04-08 16:05

developer   ~51418

Current test

$runtimePath = "myruntimePath";
if(!defined('YII_PATH')) {
    $tmpdir = ini_get('upload_tmp_dir') ? ini_get('upload_tmp_dir') : sys_get_temp_dir();
    set_include_path('.');
    ini_set('open_basedir',$tmpdir.PATH_SEPARATOR.$runtimePath.PATH_SEPARATOR.dirname(dirname(dirname(__FILE__))));
}
…
…
    // Directory must be readable and writable by the webuser
    'runtimePath'=>$runtimePath,

But need runtimePath available when install

Issue History

Date Modified Username Field Change
2019-03-08 22:54 ollehar New Issue
2019-03-08 22:54 ollehar Note Added: 50873
2019-03-08 22:58 ollehar Note Added: 50874
2019-03-08 23:38 DenisChenu Note Added: 50875
2019-03-08 23:38 DenisChenu Note Edited: 50875 View Revisions
2019-03-08 23:51 ollehar Note Edited: 50874 View Revisions
2019-03-08 23:56 ollehar Note Added: 50879
2019-03-09 00:40 DenisChenu Note Added: 50883
2019-03-12 12:11 DenisChenu Note Added: 50916
2019-03-12 12:14 DenisChenu Note Edited: 50916 View Revisions
2019-03-12 12:19 DenisChenu Note Added: 50917
2019-03-12 12:19 DenisChenu Note Edited: 50917 View Revisions
2019-03-12 12:19 DenisChenu Note Edited: 50917 View Revisions
2019-03-12 12:20 DenisChenu Note Edited: 50917 View Revisions
2019-03-12 15:32 DenisChenu Relationship added related to 14637
2019-03-12 15:32 DenisChenu Relationship deleted related to 14637
2019-03-12 15:32 DenisChenu Relationship added child of 14637
2019-03-12 15:35 DenisChenu Relationship added related to 12603
2019-03-12 15:35 DenisChenu Relationship deleted child of 14637
2019-03-12 15:35 DenisChenu Relationship added related to 14637
2019-03-12 15:35 DenisChenu Relationship added related to 14408
2019-03-12 15:40 DenisChenu Note Added: 50925
2019-03-12 15:44 ollehar Note Added: 50926
2019-03-12 16:32 ollehar Note Added: 50929
2019-03-12 17:48 DenisChenu Note Added: 50932
2019-03-13 08:47 DenisChenu Note Added: 50939
2019-03-13 09:00 DenisChenu Note Edited: 50939 View Revisions
2019-03-15 07:59 DenisChenu Relationship added related to 14643
2019-03-19 08:50 DenisChenu Note Added: 51046
2019-03-19 08:52 DenisChenu Note Added: 51047
2019-03-19 08:54 DenisChenu Note Edited: 51047 View Revisions
2019-03-27 12:19 DenisChenu Note Added: 51163
2019-04-08 16:05 DenisChenu Note Added: 51418
2019-04-12 12:49 DenisChenu Relationship added related to 14772