cancel
Showing results for 
Search instead for 
Did you mean: 

[PAYH] phpwrapper.cgi Security Update

Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

[PAYH] phpwrapper.cgi Security Update

Sorry to have to issue a security update, but I've "identified a security vulnerability" - in other words, I've hacked my own script.
Anyone using phpwrapper.cgi should update it, as soon as possible, to this:
phpwrapper.cgi

#!/opt/php52/bin/php5-cgi
<?php
$_ENV["SCRIPT_NAME"]=$_SERVER['PHP_SELF']=$_SERVER["SCRIPT_NAME"]=$_ENV["REDIRECT_URL"];
$_ENV["SCRIPT_FILENAME"]=$_SERVER["SCRIPT_FILENAME"]=$_SERVER["DOCUMENT_ROOT"].$_ENV["REDIRECT_URL"];
ereg('^(.*)/([^/]*\.php)$', $_ENV["REDIRECT_URL"], $wrap_url);
chdir('/var/www/vhosts/yourusername.plushost.co.uk/httpdocs/'.$wrap_url{1});
include $wrap_url{2};
?>

replacing "yourusername", as before.
The revised wrapper script can be used safely with the old rewriteRule in .htaccess, but, for future purposes, the rewrite can be simplified:

rewriteEngine on
rewriteCond %{query_string} ^(.*)$
rewriteRule ^yourfolder.*/[^/]*\.php$ cgi-bin/phpwrapper.cgi?%1

The vulnerability does not affect Plesk accounts or logins, only webspace content. Together with other pieces of information, knowledge of your use of the original wrapper script could allow a malicious hacker to access files protected by an .htaccess directive such as

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|pem|txt)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

I have updated the original instructions accordingly.
If you want to check that no-one has actually tried to use this hack on your web site, check the processed logs in Plesk's log manager. Search for the string "wrap_f". If it doesn't appear, no attempt has been made. Even so, please do update the script.
Gabe
14 REPLIES 14
rekabuk
Dabbler
Posts: 19
Registered: ‎18-02-2009

Re: [PAYH] phpwrapper.cgi Security Update

Thanks Gabe,
Has anyone used this to get a Joomla 1.5.9 site up and running and then install components?
Regards
Andrew
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: [PAYH] phpwrapper.cgi Security Update

I can't be sure, because I'm completely unfamiliar with Joomla, but I seem to have installed Joomla and then installed the JForms component (just as a test), without running into difficulties.
There may be other problems, but here's what I did.
I created a folder within httpdocs. I added that folder to the redirect list outlined in the phpwrapper thread. I then uploaded the zipped Joomla package to that folder and unzipped it with a php script loaded into the same folder. I then ran through the install, not activating FTP, deleted the installation folder and went straight into admin. I dowloaded JForms and then uploaded and installed it from the install option in the extensions menu.
So far, so good. I can't test the functionality properly, because I don't know the package at all.  All I can say is that it looks worth a try.
Gabe
rekabuk
Dabbler
Posts: 19
Registered: ‎18-02-2009

Re: [PAYH] phpwrapper.cgi Security Update

Hi Gabe,
I am keen to see if i can get this working. I read your post and this one http://community.plus.net/forum/index.php/topic,73037.0.html and I believe  have implemented everything. My copy of joomla was already installed, so I moved the files to a new sud-directory of httpdocs and changed the configuration.php file.
Having put the phpwrapper.cgi in the cgi_bin directory and chmod'd it to 755. I added an .htaccess file to my httpdocs directory and now when I point a browser at my site I just get an empty page back 😞
Any ideas?
Andrew
Kev_Mawson
Grafter
Posts: 196
Registered: ‎05-04-2007

Re: [PAYH] phpwrapper.cgi Security Update

Hi
You will need to ensure that you go in to the Joomla admin system and choose to reinstall the plugin, and if this does this through FTP you should be ok.
rekabuk
Dabbler
Posts: 19
Registered: ‎18-02-2009

Re: [PAYH] phpwrapper.cgi Security Update

Installing though FTP? This is new to me I'll have to go and read-up on it, I've only used the upload in the back-end menu.....
Thank-you,
Andrew
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: [PAYH] phpwrapper.cgi Security Update

Perhaps the easiest way to check if the wrapper redirect is working is to put a phpinfo script into the folder you've specified in the redirect:
<?php
phpinfo();
?>

If the resulting info page shows PHP Version 5.2.1, it's working. If it still shows PHP Version 5.2.0-8+etch13, or blank, it isn't.
I think Kev is right, in that the easiest way to install a component in a Joomla package that's been installed without using the wrapper script is probably going to be through FTP. On the other hand, if you're just setting up, using the wrapper script would mean that all your files and folders are owned by your user, and all permissions are suitably restrictive. ISTR some people have commented that Joomla doesn't fully work as it should with safe mode on, but I don't know the details.
Gabe
rekabuk
Dabbler
Posts: 19
Registered: ‎18-02-2009

Re: [PAYH] phpwrapper.cgi Security Update

Quote from: Gabe
ISTR some people have commented that Joomla doesn't fully work as it should with safe mode on, but I don't know the details.
Gabe

Yes I have read a lot of similar reports, has anyone got Joomla working properly?Huh
Andrew
Tony_W
Grafter
Posts: 745
Registered: ‎11-08-2007

Re: [PAYH] phpwrapper.cgi Security Update

Hi Gabe,
I have only just got back from a break and have tried to implement the new phpwrapper.cgi

By having the old and the new phpwrapper.cgi files side by side in the cgi-bin folder (the one on the same level as the httpdos, httpsdocs etc. folders) and renaming them to make each active, I have been able to test then separately.
They are both permission 744.
The old one is:
Quote
#!/opt/php52/bin/php5-cgi
<?php
[Edit] - removed because of security risk
?>

the new one is
Quote
#!/opt/php52/bin/php5-cgi
<?php
$_ENV["SCRIPT_NAME"]=$_SERVER['PHP_SELF']=$_SERVER["SCRIPT_NAME"]=$_ENV["REDIRECT_URL"];
$_ENV["SCRIPT_FILENAME"]=$_SERVER["SCRIPT_FILENAME"]=$_SERVER["DOCUMENT_ROOT"].$_ENV["REDIRECT_URL"];
ereg('^(.*)/([^/]*.php)$', $_ENV["REDIRECT_URL"], $wrap_url); chdir('/var/www/vhosts/myname.plushost.co.uk/httpdocs/'.$wrap_url{1});
include $wrap_url{2};
?>

- as suggested in your PM to me (19th Feb).
The old one allows a PHP file in the httpdocs/php/ folder (with file permissions 711) to create  a new file in the folder httpdocs/php/maincount (with folder permissions 701).
The new one does not allow the creation.
Please note that, for some reason, without the '1' in the 701, I can not read the created file using Internet Exporer.
I also notice that the forum post has:
ereg('^(.*)/([^/]*\.php)$', $_ENV["REDIRECT_URL"], $wrap_url);
but the PM has
ereg('^(.*)/([^/]*.php)$', $_ENV["REDIRECT_URL"], $wrap_url);
Neither seem to work.
I'm getting quite confused with this.
Tony
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: [PAYH] phpwrapper.cgi Security Update

Hi Tony,
If you look at the PM in your forum in box, you'll see that the code is displayed correctly. The backslash gets sanitized out of the notification email.
The backslash is needed to escape the dot, which otherwise represents any character. Even without the backslash, it should still work under most circumstances.
I can't seem to reproduce the fault you describe and I've tried to reproduce it exactly. Folders need to be 701 minimum. The script you use to write the file can be just 400. The file it writes will be 644, unless you tell it otherwise.
Try popping a phpinfo() script (as above) in your php folder, just to check the redirect is working.
Gabe
Tony_W
Grafter
Posts: 745
Registered: ‎11-08-2007

Re: [PAYH] phpwrapper.cgi Security Update

Hi Gabe,
Old phpwrapper.cgi gives version 5.2.1
New phpwrapper.cgi gives blank page.
All other conditions/permissions/files/folders the same - just renaming 'phpwrapper.cgi' to 'phpwrapper.cgi-old' and the new one from 'phpwrapper.cgi-new' to 'phpwrapper.cgi'
The phpwrapper.cgi-new has the '\' escaping the dot.
phpwrapper.cgi 744
phpinfo.php (744) located in httpdocs/php for both operations
.htaccess (777) located in httpdocs for both operations:
Quote
rewriteEngine on
rewriteCond %{query_string} ^(.*)$
rewriteRule ^php.*/[^/]*\.php$ cgi-bin/phpwrapper.cgi?%1

Tony
Tony_W
Grafter
Posts: 745
Registered: ‎11-08-2007

Re: [PAYH] phpwrapper.cgi Security Update

Hi Gabe,
Thanks for the PM.
I have set my WS_FTP to default to ASCII transfer mode as suggested and then re-uploaded the phpwrapper.cgi file.
It now works OK.
WS_FTP was set to 'auto detection' whenever it connects to PAYH. I don't know why it would have gone to binary transfers for the new phpwrapper when it didn't for the old one.
Anyway, fingers crossed, it seems to be working OK again now.
Thanks again,
Tony
PeteW1959
Grafter
Posts: 43
Thanks: 5
Registered: ‎26-08-2008

Re: [PAYH] phpwrapper.cgi Security Update

I have got the phpwrapper method 'sort of' working, but I could do with a little help.
I am trying to get phpGedView working. I have phpwrapper.cgi in my cgi-bin folder and the 3 lines in my httpdocs folder .htaccess.
So far, so good, I can gt the app up and log in, and the database access is working ok, but the page is a mess beacuse the app can't seem to access any of the sub-folders (where all the images and page structures are).
What should I do to get subfolders included in the phpwrapper?
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: [PAYH] phpwrapper.cgi Security Update

Hi Pete,
I've not used phpGedView (spent long hours squinting at microfilms though), so I'm not familiar with its structure, but the redirect should work for the folder you specify in the rewriteRule and all subfolders of that folder, so long as they don't contain their own .htaccess files that override the one in httpdocs.
First thing to check would be that the method is actually working for the specified folder, by using a phpinfo() script (see reply 6).
Next thing to check would be permissions. If you installed the package before getting the phpwrapper working, you'll probably have a mixture of files and folders owned by your user and by Apache (www-data). In that case, you may either need to increase the relevant permissions or reinstall the package. If the package was installed after getting the phpwrapper working, all your files and folders should be owned by your user and you shouldn't have to worry about permissions.
I can't be sure phpGedView will work with the wrapper, but it looks worth a try.
Gabe
PeteW1959
Grafter
Posts: 43
Thanks: 5
Registered: ‎26-08-2008

Re: [PAYH] phpwrapper.cgi Security Update

Thanks for the advice Gabe.
I used phpinfo and the wrapper is working OK. I checked through all the folders and permissions were OK and no .htaccess anywhere. I even changed permissions to 777 and no joy.
My aim was to port phpGedView from my live site and get it working before doing the upgrade to the new version (this requires PHP5 which is why I'm trying PAYH).
However following your advice I have done a clean install of the new version and I can confirm that phpGedView works with the wrapper.  Smiley
Thanks again, especially for the wrapper.  Cool
Regards
Pete