Web Server and Programming Security Dr. WenZhan Song Associate Professor, Computer Science 1
Web Server and Programming Security
Dr. WenZhan Song
Associate Professor, Computer Science
1
Data Security on Web Server
2
Data Security on Drupal Server Securing file permissions and ownership The server file system should be
configured so that the web server (e.g. Apache) does not have permission to edit or write the files which it then executes.
All of your files should be 'read only' for the Apache process, and owned with write permissions by a separate user.
3
Configuration Example (Drupal) Apache process runs as a user called
"www-data" that is in a group called "www-data”. This user should be able to read all of the files in your
Drupal directory either by group permissions or by "other" permissions.
It should not have write permissions to the code in your Drupal directory.
If you use features of Drupal which require the “files” directory, then give the www-data user the permission to write files only in that directory.
4
Configuration Example (Drupal) An example file listing of a safe
configuration Two files in a site where uploaded files are
stored in the "files" directory.
Command to see the file permissions set for your set-up is$ ls -al
drwxrwx--- 7 www-data greg-group 4096 2008-01-18 11:02 files/drwxr-x--- 32 greg-user www-data 4096 2008-01-18 11:48 modules/-rw-r----- 1 greg-user www-data 873 2007-11-13 15:35 index.php
5
Configuration Example (Drupal) The web server user has the ability to write in
the files directory. Any users in the group "greg" can read and
write the data as well. Other users are not allowed to interact with
that data. The "index.php" file (representative of all
code files) can be edited by "greg" and can be read by the www-data group (assuming that the www-data user is in the www-data group).
No other users can read “index.php”.
6
Configuration Example (Drupal) You generally don't want random users
who have the ability to read files on your server to see inside those files
Set the last three permissions to --- instead of r-x.
7
Configuration Example (Drupal) Insecure configuration example
It allows the www-data user to edit the index.php file (and since it is representative of other files, we assume every file that makes up the Drupal site).
NOTE: THIS IS AN INSECURE CONFIGURATION
drwxrwx--- 7 www-data www-data 4096 2008-01-18 11:02 files/drwxrwx--- 32 greg-user www-data 4096 2008-05-16 11:48 modules/-rw-rw-rw- 1 www-data www-data 873 2007-11-13 15:35 index.php
8
Permission’s numeric equivalence In Unix/Linux, permissions for files and
directories can be specified by letters or numbers. "r" for read, "w" for write, and "x" for execute
bits 4, 2, and 1 are conversions of these bits from
binary, and correspond directly to read, write, and execute.
rwx == 111 binary == 7r-- == 100 binary == 4--- == 000 binary == 0
9
Permission’s numeric equivalence Three categories of possible users
owners members of a security group defined on the
server everyone else
Permissions are shown in the first column in alphabetic notation. First character indicates the item type Next three letters shows the permissions of
different categories.drwxr-x--- 10 joe www-data 4096 Oct 15 14:15 ./drwxr-xr-x 13 root root 4096 Oct 11 14:50 ../-rw-r----- 1 joe www-data 5267 Oct 12 22:47 .htaccessdrwxr-x--- 4 joe www-data 4096 Oct 15 14:23 includes/-rw-r----- 1 joe www-data 529 Aug 1 12:27 index.php 10
Non-Numeric Permission Notation Options
"+" = add a permission to the ones already assigned
"-" = revoke a given permission maintaining the others already assigned
"=" = ignores the already assigned permissions and assigns the permissions specified
"u" = user "g" = group "o" = others "a" = everybody (user, group, others)
11
Non-Numeric Permission Notation For files
r = read w = write x = execute
For directories r = list (read directory contents) w = write x = can access the directory (i.e., cd to the
directory)
12
Non-Numeric Permission Example chmod commands and results for a file with
permissions rwxrwx--- (770)
All files and directories created by the Apache server will be created with an owner that is the same user as is running httpd.
chmod human chmod numeric resulting permission
ugo=rwx 777 rwxrwxrwxu-wx 470 r--rwx---o+r 774 rwxrwxr--g-wx,o+r 744 rwxr--r--u-w,g-wx,o+r 544 r-xr--r--g=,o=r 704 rwx---r--a-wx 440 r--r-----
13
Insecure permissions are a problem Allow your site to modify the files which form
the code running your site, someone might take over your sever.
Worst case scenario A file upload tool in Drupal allows users to upload a
file with any name and any contents. This allows a user to upload a mail relay PHP script
to your site, which they can place wherever they want to turn your server into a machine to forward unsolicited commercial email.
This script could also be used to read every email address out of your database, or other personal information.
14
Insecure permissions are a problem Undesirable scenario I
The malicious user can upload a file with any name but not control the contents.
They could easily upload a file which overwrites your index.php (or another critical file) and breaks your site.
Undesirable scenario II The code allows users to see the contents of
files. Attackers could see information which might
reveal potential attack vectors.
15
Linux Server Drupal Config Example
Changing the ownership and permissions on files and directories in the Drupal Root directory.
Assume in the example that the user greg is part of the greg group and that user greg is the site owner.
Assume that your are running Drupal on a server that is not in a hosting environment that provides web-site hosting to multiple customers.
16
Linux Server Drupal Config Example
Make sure to run the these commands from inside Drupal's root directory
Second command makes user greg the user-owner and group www-date the group owner of all files and dirs in Drupal root dir recursively.
Third command changes the permissions to read, write and access for user greg and read and access for users in the www-data group for all the files and dirs in Drupal root dir recursively (permissions 750).
The fourth command changes the permissions to on those files to read and write for the user greg and read only for the www-data group. Other users have no access to these files (permissions 640).
[root@localhost]cd /path_to_drupal_installation[root@localhost]chown -R greg:www-data .[root@localhost]find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;[root@localhost]find . -type f -exec chmod u=rw,g=r,o= '{}' \;
17
Linux Server Drupal Config Example
For the “files” directory in the sites/default
The second command finds all subdirectories named files below the sites directory and changes the permissions for the user-owner and the group-owner to read, write, and access. All other users cannot read, write to, or access these files subdirectories.
The "for" loop is a script which gives read, write, and access (770) permissions to user greg and group www-data on all subdirectories, and read, and access (550) on files within the files; but not access to other users.
[root@localhost]cd /path_to_drupal_installation/sites[root@localhost]find . -type d -name files -exec chmod ug=rwx,o= '{}' \;[root@localhost]for d in ./*/filesdo find $d -type d -exec chmod ug=rwx,o= '{}' \; find $d -type f -exec chmod ug=rw,o= '{}' \;done
18
Special Considerations for settings.php
Default user drupal_admin: the user on the server that
administrates Drupal, not necessarily is the root.
site_admin: the owner of the hosted site (a customer)
Ownership Core modules/themes files and directories:
drupal_admin:www-data Hosted sites modules/themes/files files and
directories: site_admin:www-data
19
Special Considerations for settings.php
Permissions Core modules/themes directories: rwxr-x--- Core modules/themes files: rw-r----- Hosted sites modules/themes directories: rwxr-
x--- Hosted sites modules/themes files: rw-r----- Hosted sites "files" directory: rwxrwx--- Hosted sites files under "files" directories: rw-
rw---- Hosted sites subdirectories under "files"
directories: rwxrwx---
20
SQL Injection Attack
21
SQL Injection Attacks SQL query is not a trusted command SQL queries are able to circumvent access
controls Bypass standard authentication and
authorization checks Sometimes SQL queries even may allow access
to host operating system level commands. Direct SQL Command Injection
Accomplished by the application taking user input and combining it with static parameters to build an SQL query.
22
SQL Injection Attacks Subset of the an unverified/unsanitized
user input vulnerability Convince the application to run SQL code that
was not intended. Extreme case
The application is creating SQL strings naively on the fly and then running them
It is straightforward to create some real surprises
23
Example #1 Splitting the result set into pages ... and
making superusers (PostgreSQL)
Normal users click on the 'next', 'prev' links where the $offset is encoded into the URL.
$offset should be a decimal number.
24
Example #1 Break in by appending a urlencode()'d form
of the following to the URL
The script would present a superuser access to the attacker
Note that 0; is to supply a valid offset to the original query and to terminate it.
25
Example #1 The filters can be set commonly in a
preceding form to customize WHERE, ORDER BY, LIMIT and OFFSET clauses in SELECT statements.
If your database supports the UNION construct, the attacker may try to append an entire query to the original one to list passwords from an arbitrary table.
Using encrypted password fields is strongly encouraged.
26
Example #2 Listing out articles ... and some passwords
(any database server)
The static part of the query can be combined with another SELECT statement which reveals all passwords
27
Example #2
If this query (playing with the ' and --) were assigned to one of the variables used in $query, the query beast awakened.
UPDATE's are also susceptible to attack. These queries are also threatened by
chopping and appending an entirely new query to it.
The attacker might fiddle with the SET clause.
28
Example #3 From resetting a password ... to gaining
more privileges (any database server)
The attacks can be Sumbits the value ' or uid like'%admin% to $uid to change
the admin's password Sets $pwd to hehehe', trusted=100, admin='yes to gain
more privileges.
29
Example #3
30
Example #4 Attacking the database hosts operating
system (MSSQL Server)
If attacker submits the value a%' exec master..xp_cmdshell 'net user test testpass /ADD' -- to $prod, then the $query will be:
31
Example #4
MSSQL Server executes the SQL statements in the batch including a command to add a new user to the local accounts database.
If this application were running as sa and the MSSQLSERVER service is running with sufficient privileges, the attacker would now have an account with which to access this machine.
32
Example #4 A similar attack is possible against
products other than MSSQL. The database server may be similarly vulnerable in another manner.
33
Avoidance Techniques An attacker must possess at least some
knowledge of the database architecture in order to conduct a successful attack Obtaining this information is often very simple If the database is part of an open source or other publicly-
available software package with a default installation, this information is completely open and available.
This information may also be divulged by closed-source code - even if it's encoded, obfuscated, or compiled - and even by your very own code through the display of error messages.
Other methods include the user of common table and column names.
34
Avoidance Techniques Never connect to the database as a superuser
or as the database owner. Use always customized users with very limited privileges.
Use prepared statements with bound variables. They are provided by PDO, by MySQLi and by other libraries.
Check if the given input has the expected data type.
Verify numerical data input with ctype_digit(), or silently change its type using settype(), or use its numeric representation by sprintf().
35
Avoidance Techniques A more secure way to compose a query for
paging
36
Avoidance Techniques If the database layer doesn't support binding
variables then quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_real_escape_string(), sqlite_escape_string(), etc.).
Generic functions like addslashes() are useful only in a very specific environment (e.g. MySQL in a single-byte character set with disabled NO_BACKSLASH_ESCAPES) so it is better to avoid them.
37
Avoidance Techniques Do not print out any database specific
information, especially about the schema, by fair means or foul. See also Error Reporting and Error Handling and Logging Functions.
You may use stored procedures and previously defined cursors to abstract data access so that users do not directly access tables or views, but this solution has another impacts.
38
Secure Your Apache Web Server
39
Disable unnecessary modules If you are planning to install apache from
source, disable the following modules. You can use ./configure –help to see the
modules
40
a. userdir – Mapping of requests to user-specific directories. i.e ~username in URL will get translated to a directory in the serverb. autoindex – Displays directory listing when no index.html file is presentc. status – Displays server statsd. env – Clearing/setting of ENV varse. setenvif – Placing ENV vars on headersf. cgi – CGI scriptsg. actions – Action triggering on requestsh. negotiation – Content negotiationi. alias – Mapping of requests to different filesystem partsj. include – Server Side Includesk. filter – Smart filtering of requestl. version – Handling version information in config files using IfVersionm. as-is – as-is filetypes
Disable unnecessary modules Disable all of the above modules as shown
below when you do ./configure
41
Run Apache as separate user and group Apache runs as nobody or daemon by
default Run apache in its own non-privileged account.
Create apache group and user
Modify the httpd.conf, and set User and Group appropriately
Make sure apache is running as “apache”
42
groupadd apache useradd -d /usr/local/apache2/htdocs -g apache -s /bin/false apache
vi httpd.conf User apache Group apache
ps -ef | grep -i http | awk '{print $1}' root apache apache apache apache apache
Restrict access to root directory
Use Allow and Deny Secure the root directory by setting the
following in the httpd.conf
Options None – Set this to None, which will not enable any optional extra features.
Order deny,allow – This is the order in which the “Deny” and “Allow” directivites should be processed. This processes the “deny” first and “allow” next.
Deny from all – This denies request from everybody to the root directory. There is no Allow directive for the root directory. So, nobody can access it.
43
<Directory /> Options None Order deny,allow Deny from all </Directory>
Set appropriate permissions for conf and bin directory bin and conf directory should be viewed
only by authorized users. Create a group, and add all users who are
allowed to view/modify configuration files to this group (e.g., apacheadmin). Create the group.
Allow access to bin and conf directory for this group.
Add appropriate members to this group. 44
groupadd apacheadmin
chown -R root:apacheadmin /usr/local/apache2/bin chmod -R 770 /usr/local/apache2/binchown -R root:apacheadmin /usr/local/apache2/conf chmod -R 770 /usr/local/apache2/conf
vi /etc/group apacheadmin:x:1121:ramesh,john
Disable Directory Browsing Prevent users seeing all the files/dirs under
your root E.g., if they go to http://{your-ip}/images/ and if you don’t
have an index.html under images, they’ll see all the image files (and the sub-directories) listed in the browser (just like a ls -1 output).
To disable directory browsing Set the value of Options directive to “None” or “-
Indexes”
45
<Directory /> Options None Order allow,deny Allow from all </Directory> (or)
<Directory /> Options -Indexes Order allow,deny Allow from all </Directory>
Don’t allow .htaccess Using .htaccess file inside a specific sub-
directory under the htdocs (or anywhere ouside), users can overwrite the default apache directives.
Should not allow users to use the .htaccess
46
<Directory /> Options None AllowOverride None Order allow,deny Allow from all </Directory>
Disable other Options Available values for Options directive
Options All – All options are enabled (except MultiViews). If you don’t specify Options directive, this is the default value.
Options ExecCGI – Execute CGI scripts (uses mod_cgi) Options FollowSymLinks – If you have symbolic links in this directory, it will be followed. Options Includes – Allow server side includes (uses mod_include) Options IncludesNOEXEC – Allow server side includes without the ability to execute a command or
cgi. Options Indexes – Allow directory listing Options MultiViews - Allow content negotiated multiviews (uses mod_negotiation) Options SymLinksIfOwnerMatch – Similar to FollowSymLinks. But, this will follow only when the
owner is same between the link and the original directory to which it is linked.
Never specify ‘Options All’ You can combine multiple options in one
line
47
Options Includes FollowSymLinks
Disable other Options The + and – in front of an option value is
helpful when you have nested direcotires, and would like to overwrite an option from the parent Directory directive. In this example, for /site directory, it has both Includes and Indexes:
For /site/en directory, if you need Only Indexes from /site (And not the Includes), and if you want to FollowSymLinks only to this directory, do the following.
/site will have Includes and Indexes /site/en will have Indexes and FollowSymLink
48
<Directory /site> Options Includes Indexes AllowOverride None Order allow,deny Allow from all </Directory>
<Directory /site/en> Options -Includes +FollowSymLink AllowOverride None Order allow,deny Allow from all </Directory>
Remove unwanted DSO modules Dynamic shared object modules will be
present inside the httpd.conf under “LoadModule” directive. Statically compiled apache modules will not be listed as
“LoadModule” directive.
Comment out any unwanted “LoadModules” in the httpd.conf
49
grep LoadModule /usr/local/apache2/conf/httpd.conf
Restrict access to a specific network (or ip-address) Only if you want your site to be viewed
only by a specific ip-address or network To allow a specific network to access your site, give the
network address in the Allow directive.
To allow a specific ip-address to access your site, give the ip-address in the Allow directive.
50
<Directory /site> Options None AllowOverride None Order deny,allow Deny from all Allow from 10.10.0.0/24 </Directory>
<Directory /site> Options None AllowOverride None Order deny,allow Deny from all Allow from 10.10.1.21 </Directory>
Don’t display or send Apache version By default, the server HTTP response header
will contains apache and php version.
This is harmful, as we don’t want an attacker to know about the specific version number.
To avoid this, set the ServerTokens to Prod in httpd.conf. This will display “Server: Apache” without any version information.
Possible ServerTokens values: ServerTokens Prod displays “Server: Apache” ServerTokens Major displays “Server: Apache/2″ ServerTokens Minor displays “Server: Apache/2.2″ ServerTokens Min displays “Server: Apache/2.2.17″ ServerTokens OS displays “Server: Apache/2.2.17 (Unix)” ServerTokens Full displays “Server: Apache/2.2.17 (Unix) PHP/5.3.5″ (If you
don’t specify any ServerTokens value, this is the default)
51
Server: Apache/2.2.17 (Unix) PHP/5.3.5
vi httpd.conf ServerTokens Prod