Web Server and Programming Security Dr. WenZhan Song Associate Professor, Computer Science 1.

Web Server and Programming Security

Dr. WenZhan Song

Associate Professor, Computer Science

1

Data Security on Web Server

2

Data Security on Drupal Server Securing file permissions and ownership The server file system should be

configured so that the web server (e.g. Apache) does not have permission to edit or write the files which it then executes.

All of your files should be 'read only' for the Apache process, and owned with write permissions by a separate user.

3

Configuration Example (Drupal) Apache process runs as a user called

"www-data" that is in a group called "www-data”. This user should be able to read all of the files in your

Drupal directory either by group permissions or by "other" permissions.

It should not have write permissions to the code in your Drupal directory.

If you use features of Drupal which require the “files” directory, then give the www-data user the permission to write files only in that directory.

4

Configuration Example (Drupal) An example file listing of a safe

configuration Two files in a site where uploaded files are

stored in the "files" directory.

Command to see the file permissions set for your set-up is$ ls -al

drwxrwx--- 7 www-data greg-group 4096 2008-01-18 11:02 files/drwxr-x--- 32 greg-user www-data 4096 2008-01-18 11:48 modules/-rw-r----- 1 greg-user www-data 873 2007-11-13 15:35 index.php

5

Configuration Example (Drupal) The web server user has the ability to write in

the files directory. Any users in the group "greg" can read and

write the data as well. Other users are not allowed to interact with

that data. The "index.php" file (representative of all

code files) can be edited by "greg" and can be read by the www-data group (assuming that the www-data user is in the www-data group).

No other users can read “index.php”.

6

Configuration Example (Drupal) You generally don't want random users

who have the ability to read files on your server to see inside those files

Set the last three permissions to --- instead of r-x.

7

Configuration Example (Drupal) Insecure configuration example

It allows the www-data user to edit the index.php file (and since it is representative of other files, we assume every file that makes up the Drupal site).

NOTE: THIS IS AN INSECURE CONFIGURATION

drwxrwx--- 7 www-data www-data 4096 2008-01-18 11:02 files/drwxrwx--- 32 greg-user www-data 4096 2008-05-16 11:48 modules/-rw-rw-rw- 1 www-data www-data 873 2007-11-13 15:35 index.php

8

Permission’s numeric equivalence In Unix/Linux, permissions for files and

directories can be specified by letters or numbers. "r" for read, "w" for write, and "x" for execute

bits 4, 2, and 1 are conversions of these bits from

binary, and correspond directly to read, write, and execute.

rwx == 111 binary == 7r-- == 100 binary == 4--- == 000 binary == 0

9

Permission’s numeric equivalence Three categories of possible users

owners members of a security group defined on the

server everyone else

Permissions are shown in the first column in alphabetic notation. First character indicates the item type Next three letters shows the permissions of

different categories.drwxr-x--- 10 joe www-data 4096 Oct 15 14:15 ./drwxr-xr-x 13 root root 4096 Oct 11 14:50 ../-rw-r----- 1 joe www-data 5267 Oct 12 22:47 .htaccessdrwxr-x--- 4 joe www-data 4096 Oct 15 14:23 includes/-rw-r----- 1 joe www-data 529 Aug 1 12:27 index.php 10

Non-Numeric Permission Notation Options

"+" = add a permission to the ones already assigned

"-" = revoke a given permission maintaining the others already assigned

"=" = ignores the already assigned permissions and assigns the permissions specified

"u" = user "g" = group "o" = others "a" = everybody (user, group, others)

11

Non-Numeric Permission Notation For files

r = read w = write x = execute

For directories r = list (read directory contents) w = write x = can access the directory (i.e., cd to the

directory)

12

Non-Numeric Permission Example chmod commands and results for a file with

permissions rwxrwx--- (770)

All files and directories created by the Apache server will be created with an owner that is the same user as is running httpd.

chmod human chmod numeric resulting permission

ugo=rwx 777 rwxrwxrwxu-wx 470 r--rwx---o+r 774 rwxrwxr--g-wx,o+r 744 rwxr--r--u-w,g-wx,o+r 544 r-xr--r--g=,o=r 704 rwx---r--a-wx 440 r--r-----

13

Insecure permissions are a problem Allow your site to modify the files which form

the code running your site, someone might take over your sever.

Worst case scenario A file upload tool in Drupal allows users to upload a

file with any name and any contents. This allows a user to upload a mail relay PHP script

to your site, which they can place wherever they want to turn your server into a machine to forward unsolicited commercial email.

This script could also be used to read every email address out of your database, or other personal information.

14

Insecure permissions are a problem Undesirable scenario I

The malicious user can upload a file with any name but not control the contents.

They could easily upload a file which overwrites your index.php (or another critical file) and breaks your site.

Undesirable scenario II The code allows users to see the contents of

files. Attackers could see information which might

reveal potential attack vectors.

15

Linux Server Drupal Config Example

Changing the ownership and permissions on files and directories in the Drupal Root directory.

Assume in the example that the user greg is part of the greg group and that user greg is the site owner.

Assume that your are running Drupal on a server that is not in a hosting environment that provides web-site hosting to multiple customers.

16

Linux Server Drupal Config Example

Make sure to run the these commands from inside Drupal's root directory

Second command makes user greg the user-owner and group www-date the group owner of all files and dirs in Drupal root dir recursively.

Third command changes the permissions to read, write and access for user greg and read and access for users in the www-data group for all the files and dirs in Drupal root dir recursively (permissions 750).

The fourth command changes the permissions to on those files to read and write for the user greg and read only for the www-data group. Other users have no access to these files (permissions 640).

[root@localhost]cd /path_to_drupal_installation[root@localhost]chown -R greg:www-data .[root@localhost]find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;[root@localhost]find . -type f -exec chmod u=rw,g=r,o= '{}' \;

17

Linux Server Drupal Config Example

For the “files” directory in the sites/default

The second command finds all subdirectories named files below the sites directory and changes the permissions for the user-owner and the group-owner to read, write, and access. All other users cannot read, write to, or access these files subdirectories.

The "for" loop is a script which gives read, write, and access (770) permissions to user greg and group www-data on all subdirectories, and read, and access (550) on files within the files; but not access to other users.

[root@localhost]cd /path_to_drupal_installation/sites[root@localhost]find . -type d -name files -exec chmod ug=rwx,o= '{}' \;[root@localhost]for d in ./*/filesdo find $d -type d -exec chmod ug=rwx,o= '{}' \; find $d -type f -exec chmod ug=rw,o= '{}' \;done

18

Special Considerations for settings.php

Default user drupal_admin: the user on the server that

administrates Drupal, not necessarily is the root.

site_admin: the owner of the hosted site (a customer)

Ownership Core modules/themes files and directories:

drupal_admin:www-data Hosted sites modules/themes/files files and

directories: site_admin:www-data

19

Special Considerations for settings.php

Permissions Core modules/themes directories: rwxr-x--- Core modules/themes files: rw-r----- Hosted sites modules/themes directories: rwxr-

x--- Hosted sites modules/themes files: rw-r----- Hosted sites "files" directory: rwxrwx--- Hosted sites files under "files" directories: rw-

rw---- Hosted sites subdirectories under "files"

directories: rwxrwx---

20

SQL Injection Attack

21

SQL Injection Attacks SQL query is not a trusted command SQL queries are able to circumvent access

controls Bypass standard authentication and

authorization checks Sometimes SQL queries even may allow access

to host operating system level commands. Direct SQL Command Injection

Accomplished by the application taking user input and combining it with static parameters to build an SQL query.

22

SQL Injection Attacks Subset of the an unverified/unsanitized

user input vulnerability Convince the application to run SQL code that

was not intended. Extreme case

The application is creating SQL strings naively on the fly and then running them

It is straightforward to create some real surprises

23

Example #1 Splitting the result set into pages ... and

making superusers (PostgreSQL)

Normal users click on the 'next', 'prev' links where the $offset is encoded into the URL.

$offset should be a decimal number.

24

Example #1 Break in by appending a urlencode()'d form

of the following to the URL

The script would present a superuser access to the attacker

Note that 0; is to supply a valid offset to the original query and to terminate it.

25

Example #1 The filters can be set commonly in a

preceding form to customize WHERE, ORDER BY, LIMIT and OFFSET clauses in SELECT statements.

If your database supports the UNION construct, the attacker may try to append an entire query to the original one to list passwords from an arbitrary table.

Using encrypted password fields is strongly encouraged.

26

Example #2 Listing out articles ... and some passwords

(any database server)

The static part of the query can be combined with another SELECT statement which reveals all passwords

27

Example #2

If this query (playing with the ' and --) were assigned to one of the variables used in $query, the query beast awakened.

UPDATE's are also susceptible to attack. These queries are also threatened by

chopping and appending an entirely new query to it.

The attacker might fiddle with the SET clause.

28

Example #3 From resetting a password ... to gaining

more privileges (any database server)

The attacks can be Sumbits the value ' or uid like'%admin% to $uid to change

the admin's password Sets $pwd to hehehe', trusted=100, admin='yes to gain

more privileges.

29

Example #3

30

Example #4 Attacking the database hosts operating

system (MSSQL Server)

If attacker submits the value a%' exec master..xp_cmdshell 'net user test testpass /ADD' -- to $prod, then the $query will be:

31

Example #4

MSSQL Server executes the SQL statements in the batch including a command to add a new user to the local accounts database.

If this application were running as sa and the MSSQLSERVER service is running with sufficient privileges, the attacker would now have an account with which to access this machine.

32

Example #4 A similar attack is possible against

products other than MSSQL. The database server may be similarly vulnerable in another manner.

33

Avoidance Techniques An attacker must possess at least some

knowledge of the database architecture in order to conduct a successful attack Obtaining this information is often very simple If the database is part of an open source or other publicly-

available software package with a default installation, this information is completely open and available.

This information may also be divulged by closed-source code - even if it's encoded, obfuscated, or compiled - and even by your very own code through the display of error messages.

Other methods include the user of common table and column names.

34

Avoidance Techniques Never connect to the database as a superuser

or as the database owner. Use always customized users with very limited privileges.

Use prepared statements with bound variables. They are provided by PDO, by MySQLi and by other libraries.

Check if the given input has the expected data type.

Verify numerical data input with ctype_digit(), or silently change its type using settype(), or use its numeric representation by sprintf().

35

Avoidance Techniques A more secure way to compose a query for

paging

36

Avoidance Techniques If the database layer doesn't support binding

variables then quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_real_escape_string(), sqlite_escape_string(), etc.).

Generic functions like addslashes() are useful only in a very specific environment (e.g. MySQL in a single-byte character set with disabled NO_BACKSLASH_ESCAPES) so it is better to avoid them.

37

Avoidance Techniques Do not print out any database specific

information, especially about the schema, by fair means or foul. See also Error Reporting and Error Handling and Logging Functions.

You may use stored procedures and previously defined cursors to abstract data access so that users do not directly access tables or views, but this solution has another impacts.

38

Secure Your Apache Web Server

39

Disable unnecessary modules If you are planning to install apache from

source, disable the following modules. You can use ./configure –help to see the

modules

40

a. userdir – Mapping of requests to user-specific directories. i.e ~username in URL will get translated to a directory in the serverb. autoindex – Displays directory listing when no index.html file is presentc. status – Displays server statsd. env – Clearing/setting of ENV varse. setenvif – Placing ENV vars on headersf. cgi – CGI scriptsg. actions – Action triggering on requestsh. negotiation – Content negotiationi. alias – Mapping of requests to different filesystem partsj. include – Server Side Includesk. filter – Smart filtering of requestl. version – Handling version information in config files using IfVersionm. as-is – as-is filetypes

Disable unnecessary modules Disable all of the above modules as shown

below when you do ./configure

41

Run Apache as separate user and group Apache runs as nobody or daemon by

default Run apache in its own non-privileged account.

Create apache group and user

Modify the httpd.conf, and set User and Group appropriately

Make sure apache is running as “apache”

42

groupadd apache useradd -d /usr/local/apache2/htdocs -g apache -s /bin/false apache

vi httpd.conf User apache Group apache

ps -ef | grep -i http | awk '{print $1}' root apache apache apache apache apache

Restrict access to root directory

Use Allow and Deny Secure the root directory by setting the

following in the httpd.conf

Options None – Set this to None, which will not enable any optional extra features.

Order deny,allow – This is the order in which the “Deny” and “Allow” directivites should be processed. This processes the “deny” first and “allow” next.

Deny from all – This denies request from everybody to the root directory. There is no Allow directive for the root directory. So, nobody can access it.

43

<Directory /> Options None Order deny,allow Deny from all </Directory>

Set appropriate permissions for conf and bin directory bin and conf directory should be viewed

only by authorized users. Create a group, and add all users who are

allowed to view/modify configuration files to this group (e.g., apacheadmin). Create the group.

Allow access to bin and conf directory for this group.

Add appropriate members to this group. 44

groupadd apacheadmin

chown -R root:apacheadmin /usr/local/apache2/bin chmod -R 770 /usr/local/apache2/binchown -R root:apacheadmin /usr/local/apache2/conf chmod -R 770 /usr/local/apache2/conf

vi /etc/group apacheadmin:x:1121:ramesh,john

Disable Directory Browsing Prevent users seeing all the files/dirs under

your root E.g., if they go to http://{your-ip}/images/ and if you don’t

have an index.html under images, they’ll see all the image files (and the sub-directories) listed in the browser (just like a ls -1 output).

To disable directory browsing Set the value of Options directive to “None” or “-

Indexes”

45

<Directory /> Options None Order allow,deny Allow from all </Directory> (or)

<Directory /> Options -Indexes Order allow,deny Allow from all </Directory>

Don’t allow .htaccess Using .htaccess file inside a specific sub-

directory under the htdocs (or anywhere ouside), users can overwrite the default apache directives.

Should not allow users to use the .htaccess

46

<Directory /> Options None AllowOverride None Order allow,deny Allow from all </Directory>

Disable other Options Available values for Options directive

Options All – All options are enabled (except MultiViews). If you don’t specify Options directive, this is the default value.

Options ExecCGI – Execute CGI scripts (uses mod_cgi) Options FollowSymLinks – If you have symbolic links in this directory, it will be followed. Options Includes – Allow server side includes (uses mod_include) Options IncludesNOEXEC – Allow server side includes without the ability to execute a command or

cgi. Options Indexes – Allow directory listing Options MultiViews - Allow content negotiated multiviews (uses mod_negotiation) Options SymLinksIfOwnerMatch – Similar to FollowSymLinks. But, this will follow only when the

owner is same between the link and the original directory to which it is linked.

Never specify ‘Options All’ You can combine multiple options in one

line

47

Options Includes FollowSymLinks

Disable other Options The + and – in front of an option value is

helpful when you have nested direcotires, and would like to overwrite an option from the parent Directory directive. In this example, for /site directory, it has both Includes and Indexes:

For /site/en directory, if you need Only Indexes from /site (And not the Includes), and if you want to FollowSymLinks only to this directory, do the following.

/site will have Includes and Indexes /site/en will have Indexes and FollowSymLink

48

<Directory /site> Options Includes Indexes AllowOverride None Order allow,deny Allow from all </Directory>

<Directory /site/en> Options -Includes +FollowSymLink AllowOverride None Order allow,deny Allow from all </Directory>

Remove unwanted DSO modules Dynamic shared object modules will be

present inside the httpd.conf under “LoadModule” directive. Statically compiled apache modules will not be listed as

“LoadModule” directive.

Comment out any unwanted “LoadModules” in the httpd.conf

49

grep LoadModule /usr/local/apache2/conf/httpd.conf

Restrict access to a specific network (or ip-address) Only if you want your site to be viewed

only by a specific ip-address or network To allow a specific network to access your site, give the

network address in the Allow directive.

To allow a specific ip-address to access your site, give the ip-address in the Allow directive.

50

<Directory /site> Options None AllowOverride None Order deny,allow Deny from all Allow from 10.10.0.0/24 </Directory>

<Directory /site> Options None AllowOverride None Order deny,allow Deny from all Allow from 10.10.1.21 </Directory>

Don’t display or send Apache version By default, the server HTTP response header

will contains apache and php version.

This is harmful, as we don’t want an attacker to know about the specific version number.

To avoid this, set the ServerTokens to Prod in httpd.conf. This will display “Server: Apache” without any version information.

Possible ServerTokens values: ServerTokens Prod displays “Server: Apache” ServerTokens Major displays “Server: Apache/2″ ServerTokens Minor displays “Server: Apache/2.2″ ServerTokens Min displays “Server: Apache/2.2.17″ ServerTokens OS displays “Server: Apache/2.2.17 (Unix)” ServerTokens Full displays “Server: Apache/2.2.17 (Unix) PHP/5.3.5″ (If you

don’t specify any ServerTokens value, this is the default)

51

Server: Apache/2.2.17 (Unix) PHP/5.3.5

vi httpd.conf ServerTokens Prod