View Issue Details

This bug affects 1 person(s).
 256
IDProjectCategoryView StatusLast Update
14621Feature requestsSecuritypublic2023-02-03 18:03
Reporterollehar Assigned To 
PrioritynoneSeverityfeature 
Status newResolutionopen 
Summary14621: Hardening PHP during installation
Description

During the installation, warnings should be shown if PHP is in a insecure setting, e.g. if open_basedir is empty.

TagsNo tags attached.
Bug heat256
Story point estimate0
Users affected %10

Relationships

related to 12603 closeddominikvitt Bug reports Setting emailsmtppassword is saved as clear text 
related to 14637 new Feature requests New install : allow to set runtimePath at installer 
related to 14408 closedc_schmitz Feature requests DSVGO - sending passwort in plain-text with an e-mail is no longer allowed 
related to 14643 new Feature requests SiteHealth section/plugin to check environment and setup of LimeSurvey 

Users monitoring this issue

DenisChenu

Activities

ollehar

ollehar

2019-03-08 22:54

administrator   ~50873

@DenisChenu Any thoughts?

ollehar

ollehar

2019-03-08 22:58

administrator   ~50874

Last edited: 2019-03-08 23:51

open_basedir also need upload_tmp_dir and session.save_path and /dev/urandom.

Other tips: https://howtogetonline.com/how-to-harden-your-php-for-better-security.php

Argument against configuration: https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful

DenisChenu

DenisChenu

2019-03-08 23:38

developer   ~50875

Last edited: 2019-03-08 23:38

I have a lot of system where open_basedir is badly set, for example : path:/usr/php;. but open_basedir to . only.

I'm totally unsure if we need to try to fix server security issue. Do you know a free tool who check that ?

Eles :
allow_url_fopen : we need ot for auto update , no?
max_execution_time : we already set to 1200 is really boggest then we really need : WE must fix this and ask it only for stats (it's done for stats …)
expose_php: lol : security by hidding, let me laugh …
max_input_vars : default 1000 is broken for LimeSurvey for more tha 300 answers or some arrau/text : we must try to fix it and remove undeeded POSTED var.
display_errors : debug :0 => OK
open_basedir : on my .me : /home/www/demo.sondages.me/htdocs:/home/www/share/:/tmp:/home/www/demo.sondages.me/tmp:/home/www/demo.sondages.me/config:/home/www/share:/usr/share/php:/usr/share/pear : you say it's OK or not (same user for all www) ?, on .pro : no value : apache_mpm_itk : each server with their own user : user don't have rights on /etc for example : you say it's OK ? You can't : no value is unsecure BUT : mpm_itk do the secure here.

ollehar

ollehar

2019-03-08 23:56

administrator   ~50879

Default settings on /etc/passwd is -rw-r--r--, which means readable by all users, including a web user like www-data.

DenisChenu

DenisChenu

2019-03-09 00:40

developer   ~50883

Right, but we must disallow reading files in open_basedir too : application/config/config.php is a good example.
Think this can fix issue is a bad solution : the last security issue is an exemple : LimeSurvey dev must care of ALL files reading before adding it …

DenisChenu

DenisChenu

2019-03-12 12:11

developer   ~50916

Last edited: 2019-03-12 12:14

About open_base_dir : https://www.limesurvey.org/forum/can-i-do-this-with-limesurvey/117910-excel-error-in-statistical-output-format#181576
:)

set_include_path("."); work with limesurvey, but maybe not what user want :)

Else on some server : ini_set can be used

DenisChenu

DenisChenu

2019-03-12 12:19

developer   ~50917

Last edited: 2019-03-12 12:20

set_include_path('.');
ini_set('open_basedir',dirname(dirname(dirname(__FILE__))));

in config.php

Then maybe can update default config.php to

@set_include_path('.');
@ini_set('open_basedir',dirname(dirname(dirname(__FILE__))));
DenisChenu

DenisChenu

2019-03-12 15:40

developer   ~50925

@ollehar : i attch some security issue to this one, because i think Limesurvey must be "Secure proof" before give advice …

ollehar

ollehar

2019-03-12 15:44

administrator   ~50926

True. I was discussing on the ##php IRC channel about it, too. There's really no good way to check if your server is secure on the PHP level. You can check if the web user has access to this or that file, and recommend that it shouldn't, but there's no way to check if you are running in a secure container, jail or virtual machine.

"container > chroot > open_basedir"

ollehar

ollehar

2019-03-12 16:32

administrator   ~50929

This script could maybe be used in the security tab? "Extra PHP security check". https://github.com/sektioneins/pcc

DenisChenu

DenisChenu

2019-03-12 17:48

developer   ~50932

See https://github.com/sektioneins/pcc/blob/master/phpconfigcheck.php#L162
The issue is here too : create a script to check security can show open door.

And super admin user are not always the server manager …

DenisChenu

DenisChenu

2019-03-13 08:47

developer   ~50939

Last edited: 2019-03-13 09:00

Found an issue about set_include_path(".");

$ php application/commands/console.php 
PHP Error[2]: include(DbConnection.php): failed to open stream: No such file or directory
    in file /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php at line 463
#0 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(463): include()
#1 unknown(0): autoload()
#2 unknown(0): spl_autoload_call()
#3 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(310): class_exists()
#4 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(204): import()
#5 /mnt/data/shnoulle/nginx/www/master/framework/base/CModule.php(393): createComponent()
#6 /mnt/data/shnoulle/nginx/www/master/framework/base/CModule.php(103): ConsoleApplication->getComponent()
#7 /mnt/data/shnoulle/nginx/www/master/application/core/ConsoleApplication.php(63): ConsoleApplication->__get()
#8 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(132): ConsoleApplication->__construct()
#9 /mnt/data/shnoulle/nginx/www/master/application/commands/console.php(56): createApplication()

Fixed with

if(!defined('YII_PATH')) {
    set_include_path('.');
    ini_set('open_basedir',dirname(dirname(dirname(__FILE__))));
}
DenisChenu

DenisChenu

2019-03-19 08:50

developer   ~51046

Update the fix

if(!defined('YII_PATH')) {
    $tmpdir = ini_get('upload_tmp_dir') ? ini_get('upload_tmp_dir') : sys_get_temp_dir();
    set_include_path('.');
    ini_set('open_basedir',$tmpdir.PATH_SEPARATOR.dirname(dirname(dirname(__FILE__))));
}
DenisChenu

DenisChenu

2019-03-19 08:52

developer   ~51047

Last edited: 2019-03-19 08:54

@ollehar : maybe we can update the default generated config.php file when install ?
And

  1. Set the runtimepath
  2. Set the session cookie name (random string start by LIMESURVEY_)
  3. Set the open_base_dir

Maybe this 3 can have option when install. Then we secure new installation by default ?
Your opinion ?

PS : 1st step is to have a config-generation.php file : most easy to update, with some replacement to do ( [REPLACEMENT] ? )

DenisChenu

DenisChenu

2019-03-27 12:19

developer   ~51163

About security, maybe adding (when install).

  1. Create upload/survey/1/ directory
  2. Created a upload/survey/1/test.php who do an echo 'executed'
  3. Call in ajax the php file
  4. If receive another think than a 4XX error : send an warning
  5. If receive “executed” send a danger

And for fu_file
Do the same things with a 1x1px image.

DenisChenu

DenisChenu

2019-04-08 16:05

developer   ~51418

Current test

$runtimePath = "myruntimePath";
if(!defined('YII_PATH')) {
    $tmpdir = ini_get('upload_tmp_dir') ? ini_get('upload_tmp_dir') : sys_get_temp_dir();
    set_include_path('.');
    ini_set('open_basedir',$tmpdir.PATH_SEPARATOR.$runtimePath.PATH_SEPARATOR.dirname(dirname(dirname(__FILE__))));
}
…
…
    // Directory must be readable and writable by the webuser
    'runtimePath'=>$runtimePath,

But need runtimePath available when install

DenisChenu

DenisChenu

2022-09-26 18:38

developer   ~71956

PS : set an open_base_dir on IIS/PHP broke timing all action take 5 seconds more.
I don't know why …

Set to current or set to empty or anything else … i really don't understand

Issue History

Date Modified Username Field Change
2019-03-08 22:54 ollehar New Issue
2019-03-08 22:54 ollehar Note Added: 50873
2019-03-08 22:58 ollehar Note Added: 50874
2019-03-08 23:38 DenisChenu Note Added: 50875
2019-03-08 23:38 DenisChenu Note Edited: 50875
2019-03-08 23:51 ollehar Note Edited: 50874
2019-03-08 23:56 ollehar Note Added: 50879
2019-03-09 00:40 DenisChenu Note Added: 50883
2019-03-12 12:11 DenisChenu Note Added: 50916
2019-03-12 12:14 DenisChenu Note Edited: 50916
2019-03-12 12:19 DenisChenu Note Added: 50917
2019-03-12 12:19 DenisChenu Note Edited: 50917
2019-03-12 12:19 DenisChenu Note Edited: 50917
2019-03-12 12:20 DenisChenu Note Edited: 50917
2019-03-12 15:32 DenisChenu Relationship added related to 14637
2019-03-12 15:32 DenisChenu Relationship deleted related to 14637
2019-03-12 15:32 DenisChenu Relationship added child of 14637
2019-03-12 15:35 DenisChenu Relationship added related to 12603
2019-03-12 15:35 DenisChenu Relationship deleted child of 14637
2019-03-12 15:35 DenisChenu Relationship added related to 14637
2019-03-12 15:35 DenisChenu Relationship added related to 14408
2019-03-12 15:40 DenisChenu Note Added: 50925
2019-03-12 15:44 ollehar Note Added: 50926
2019-03-12 16:32 ollehar Note Added: 50929
2019-03-12 17:48 DenisChenu Note Added: 50932
2019-03-13 08:47 DenisChenu Note Added: 50939
2019-03-13 09:00 DenisChenu Note Edited: 50939
2019-03-15 07:59 DenisChenu Relationship added related to 14643
2019-03-19 08:50 DenisChenu Issue Monitored: DenisChenu
2019-03-19 08:50 DenisChenu Note Added: 51046
2019-03-19 08:52 DenisChenu Note Added: 51047
2019-03-19 08:54 DenisChenu Note Edited: 51047
2019-03-27 12:19 DenisChenu Note Added: 51163
2019-04-08 16:05 DenisChenu Note Added: 51418
2022-09-26 18:38 DenisChenu Note Added: 71956
2023-02-03 18:03 ollehar Story point estimate => 0
2023-02-03 18:03 ollehar Users affected % => 10