If you’ve ever programmed anything in PHP before, you’ve probably had situations where you needed to be careful with your scripts to make sure they were secure. (and if you haven’t, you probably have but just haven’t noticed)

Making secure code is often times not as easy as you would hope, and while PHP does provide certain methods to help you in your task, it still lets much of the hassle be up to you as the programmer. This construction, combined with the amount of PHP sites out there, leads to the sad fact that many insecure websites are written in PHP. And while your own website may be totally secure, perhaps because you read guides like PHP Security Guide from PHP Security Consortium, there is absolutely no guarantee hosting users on your hosting server will do the same – so you need to protect yourself!

Protecting your server, and more importantly the users on it, is really a matter of several things. You need to make sure only the services you need are running, you need to secure access routes to the server (ssh, vnc, rdp etc.), you need to put in surveillance and detection systems (Nagios, Tripwire, Snort etc.), you need to make sure the data is backed up at all times, you need a proper firewall and tons of other things. Covering all these topics is way beyond this simple post however, so we’ll only focus on protecting yourself against badly coded PHP-scripts.

If a hosting user has a website on your server, say http://www.example.org/, and on this site he creates some PHP script that loads in a file and displays this in some way. Now this is obviously a stupid example, because when would you actually need this functionality? None the less, including files like this is sadly often times done indirectly, making it possible for an attacker to load in arbitrary files and gain full or partial access to the file content. In this example however we’ll simply look at a scheme like the following:

http://www.example.org/script.php?filename=test.txt

Where this script then loads in the content from test.txt.

This kind of setup is very problematic, because an attacker can easily take the request above and change it to load other files like:

http://www.example.org/script.php?filename=../../../../etc/passwd

http://www.example.org/script.php?filename=../../vhosts/someothersite.com/secretfile.php

Where the first one loads the password file on the server (it actually only includes usernames, passwords are in another file – but you get the point) and the second one could be perhaps a configuration file for another hosting user’s blog. This way the attacker could gain access to a complete list of users and some login information for another customer.

Both these situations are obviously unacceptable, and while you can’t protect your users from themselves (at least not easily), you can protect your good users from your more reckless users.

One way of doing this is by utilizing what’s called a chroot. Chrooting basically means taking an application and forcing it to do it’s work solely within a given directory, so that i.e. Apache was only allowed to function inside “/chroot/apache” and nowhere else. This prevents websites running on Apache from reading (and writing) files outside this chroot, so that an attacker can’t use the above attack to read the password file. Setting up such chroots aren’t always that easy, since everything Apache uses during runtime needs to be available in the chroot. One project has however attempted to make chrooting Apache much easier. This project is the Web Application Firewall Mod-Security, which can be found here. They use the so called SecChroot option to easily chroot your Apache.

Chrooting doesn’t however prevent a site in the chroot from reading data in another site stored in the same chroot. To prevent this kind of attack, you’d have to logically separate each running virtual host, by either setting up a dedicated Apache chroot for each virtual host (a bad solution) or use something called suPHP. By means of suPHP, which can be found here, we can make Apache run PHP scripts under the permissions of the owners of the scripts, instead of the normal Apache user which is shared between all virtual hosts. By doing this, we effectively make each virtual host able to only read/write files in its own directory and not spy on other virtual hosts data (assuming these have set correct permissions).

But what if we don’t trust this is enough? What if we want to be completely sure, that even if users set wrong permissions, a given user could still never read or write in another users virtual host? This can be accomplished by means of the php open_basedir option. The open_basedir option can be used to control in which directory the PHP scripts of a virtual host can work. This effectively means we’re actually chrooting the PHP scripts! The way you do this, is that you open up your virtual host configuration (which is probably stored somewhere like “/etc/apache2/vhosts/somevhostcom.conf”) and you then add the following within the <VirtualHost></VirtualHost> pair:

php_admin_value open_basedir /var/chroot/apache/vhosts/somevhost.com

Where “/var/chroot/apache/vhosts/somevhost.com” is the location of the virtual host directory. (be aware: If you’ve chrooted Apache, this path needs to be relative to the chroot and not the actual system).

Using open_basedir is not without it’s problems though. By making the PHP scripts run in what is effectively a chroot, they can’t i.e. write to the /tmp directory, which basically means file uploads won’t work. Be aware that chrooting in general can often lead to these types of issues, which is also why many server administrators just simply choose to take the risk and run Apache without chrooting.

Last but not least you can also use Mod-Security as what it was created as – a Web Application Firewall. A Web Application Firewall is a software firewall placed onto Apache, which then uses a complicated rule set to analyze traffic to the server and identify what kind of traffic is an attack and what is just normal use. These rules however have to be written, at least to some extent, manually and there are issues regarding making rules that catch illegal behavior but never stops legal requests – usually you have to accept some level of false-positives in attack detection if you want to be as secure as you can be.

That’s it! We hope you’ve become a bit more informed now and can get on with making your server secure against bad php scripts. Until next time – Keep safe!

We have now released a native Microsoft Windows installer for the second release of our application Aconiac Password Generator, release 1.2.
It’s available at our website for download, alongside a cross-platform version for Mac, Linux, BSD etc. We are currently working on releasing a bunch of other native installers for Mac, Ubuntu Linux, Redhat/Fedora and more, however with clients needing to be serviced, it might be a few weeks before these will be finished. If you have experience packaging software for these systems and would like to help, please feel free to contact us.

The download page for Aconiac Password Generator can be found here

Of all the trade fairs in the world, none quite rivals CeBIT when it comes to sheer size. With over 20 years of experience, it is still the world’s largest trade fair and showcases some of the up-and-coming home and office solutions in IT and Telecommunications.

Coming up to the CeBIT entrance

Sadly however, CeBIT has been experiencing decreased visitor numbers for the last few years and this year was obviously no exception – especially not given the economic circumstances of these times. None the less, Aconiac decided to attend the conference as a visitor and see what other companies have come up with these days.

For all you readers that happen to not know, CeBIT consists of a number of halls, where every hall has a few different fields of interest. There are halls with Server Technologies, Business Storage, Virtualization etc, and there are other halls with e.g. Telematics & Navigation, Automotive Solutions, Transport & Logistics, Satelite Navigation etc. etc. All in all there are a total of 26 different halls, sporting over 100 different subjects – so there should be something for almost any interest! On top of this there is an abundance of kiosks, bistros and the like, so you have to actively try to avoid eating in order to go hungry all day! A whole day is by the way also basically how long it takes to get around to every hall!

The new CeBIT Security World exhibit.

One hall was especially interesting for us, since it was CeBIT’s new Security World hall. According to the plan, this should include Anti-Malware Solutions, Security Tools & Services, Biometrics, Card Technologies, Network Security, Video Surveillance and more. But we’ll get back to that specific hall later. Let’s first take a look at what was interesting at CeBIT this year!

Now obviously, the economic crisis has effectively removed many of the fun things from the fair, but curtain things have however remained. And there were a few items we found especially cool this year.

Two of these items came from Asus, whom have gained extended world-wide focus after the release of the first Asus Eee computers and subsequent popularity increases of such products. They’ve now come up with a couple of completely new computers. Both of which change the way we do personal computing, if they ever gain extensive popularity.

Asus' cool book laptop

The first, and probably most interesting, is this Asus book-like laptop. What makes this interesting is the fact that the laptop actually doesn’t have a keyboard of any kind – it instead has two screens! What this does is that software on the laptop can activate the bottom screen, which is actually a touchscreen, and put up a virtual keyboard on that screen. This way, you will be able to use the laptop just like any other laptop (We however weren’t allowed to touch it, so I’m not sure if the virtual keyboard is even a feasible tool to use for anything serious).

Asus' book laptop - flipped

But not only can you use it as a normal laptop, it also makes a new and unique operation possible – It can function as a book!
If you turn the laptop around, an accelerometer in the laptop detects this and immediately turns the virtual keyboard into an actual screen, so that you can use it to open .pdf files (and the like) and simply start reading! Products like this might very well be the early products that end up replacing printed media completely, even though that’s probably still quite some time in the future.

But again: We weren’t allowed to touch it, so it’s very hard to know how easy it actually was to use. Whether or not it is a product one would actually use is quite difficult to answer, so please don’t just go out and buy it just because we said it was cool! It might be a very good product and it might also not at all be!

Another cool product from Asus was this keyboard computer. So what do I mean by keyboard computer? Well, it’s actually quite literal! A computer stuffed completely into a small keyboard, so that you only have to bring the keyboard, find a big screen and plug yourself in to that screen, and you’re ready to go!

Keyboard as an entire computer

Whether or not this product is just a weird idea or it’s the future of laptops – well who knows? Personally I don’t believe this will be a hit, simply because the screen is missing. If you don’t have a big screen anywhere near you, you have to use the small screen in the right bottom corner – Not really a fantastic solution, because how often do you actually have a spare screen with you everywhere? The keyboard computer will probably only function as a replacement for large home computer systems, where computing power is not of much concern to the family members.

So all in all this exact product is probably not going to make much of a change! And sadly there weren’t much else innovative at CeBIT this year. It seems the financial crisis has taken away much of the interesting stuff and kept all the, at times, irritating sales personnel that’s scattered all over the place to try and sell you one electronic product after another!

So bummed out due to the lack of interesting products, we tried to figure out what to do next. After a bit of food and a small beer, we decided to take a look at the new and “fantastic” Security World hall.

Kaspersky Labs

Sadly however, our hopes of interesting exhibitors and good products was kinda beat down. There wasn’t really anything fantastic or innovating in the entire hall and most exhibitors were also quite unknown to us. Not that being unknown is necessarily a bad thing, but if you’re a anti-virus company and you’re completely unknown, you’ve also never been critically evaluated in international tests and therefore never had your products tested up against its competitors. This is by all means a bad thing! However, in regards to anti-virus, the master was however still there – Kaspersky!

Even kids can do surveillance! ..

One thing that was kinda interesting though, was the surveillance part of the hall. Here you could get any form of spy equipment, cameras, microphones etc. Even kids could apparently use this stuff, as was apparent from the little guy playing around with the 10-20 cameras mounted all over this exhibit! I really like that picture actually! It quite effectively shows where we’re going in our society if people don’t soon get up off of there asses and start fighting the extreme surveillance trend that has been going on since 2001.

So all in all the Security World exhibit was kinda disappointing. Not only were there not really any innovative products, many of the things you would expect, wasn’t there either. Why wasn’t e.g. HP there with WebInspect and DevInspect? Or RSA? Or Tennable Security? Or, in more of a open source direction, OpenBSD? Many of the relevant groups and companies where not represented. (To be fair, BSD was in another hall, but in another capacity)

We care!

After the day went to an end, we drifted over to Munchenhalle, which is basically a classical German Tyrolean restaurant thing where people go after CeBIT to eat and .. well.. get stinking drunk! So we did exactly that and got to do a bunch of stuff like dance the bogey bogey, buy a Tyrolean hat for 20 Euros, spoke Danish with a Vietnamese guy and even sang happy birthday to a Chinese guy.. So no matter how good CeBIT is during the day, it usually always ends well

But in all seriousness again! Sadly I’m afraid the economic crisis scared some of the biggest companies away, which inevitably lowered the relevance of many of the halls. Now, to be fair, CeBIT usually has an over representation of companies selling their normal products, compared to companies showing off their new innovative products. However before it’s been somewhat of another ratio! Basically, we decided a good characterization is this: CeBIT usually consists of a turd covered in sprinkles.. in order to get the sprinkles you need to get a bit of the turd! However now CeBIT is more like a turd consisting of 10% embedded sprinkles.. now you actually have to eat the entire turd to get the damn sprinkles.. and even then, there are way to few sprinkles

See you next year at CeBIT

So with that disgusting analogy, I leave you with whatever you were doing and will simply say:

Cheers, hopefully we’ll see you next year at CeBIT!

As you may or may not have noticed, all news has now been transferred to our blog and we will furthermore only be publishing here in the future.
For simplicity, we have however changed the news list on the company website, so that it takes its data directly from this blog and links to it. The news will therefore still be available to you, even though you might only visit our company website!

Concerning new technical blog posts: We have several on the drawing board and several are also undergoing editing, so we hope to bring you some cool content soon.

Yes, Aconiac has now officially started twittering!

Now you’re probably thinking: “Why? oh why God?”. Especially if you’re the typical European or business professional. However after having looked into the matter, we have found good use of Twitter and can see how it has it’s place in the future business market – so that is really why!

So what will be twittering?  Well, we thought long and hard about what content could be efficiently distributed in 140 characters, since this is, by all common standards, a very limited text amount. Ultimately we came to the conclusion, that security tips & tricks, news and facts were of most interest and it is therefore this we will be twittering in the future with our “Did you know?” posts.

If this has peaked your interest, please go to http://twitter.com/AconiacSecurity and follow our posts there.

As a final note: We’ve added a “Tweet this” button to all posts, so that you can easily post our blog posts titles and links to your Twitter account.

NOTE: This is a technical post regarding Apache on Linux with support for Ruby on Rails. Basic understanding of these concepts is necessary!

Normally you want to make sure your server doesn’t give out any information about service versions, however mod_rails doesn’t provide any easy way of doing this within the module itself. There is however a fairly easy solution. Simply use mod_headers to remove the headers in Apache.

So how is it done? Very simple, just enable the module mod_headers and add the snippet below to httpd.conf or another included configuration file in Apache. Both actions have to be done as root of course.

Enable the mod_headers module (This example is Linux Debian – it might be different for your system)

# cd /etc/apache2/mods-available/
# a2enmod headers

Add these lines to httpd.conf

Header always unset "X-Powered-By"
Header always unset "X-Runtime"

Restart the Apache server (Again – this is Debian! It might be different for you)

# apache2ctl restart

And there you go. Try making e.g. a Nikto scan on the server and see if the headers aren’t there any more.

NOTE: This news item was originally posted on February 14, 2009.

Since we often get contacted concerning different types of partnership deals, we have now chosen to create a service for this purpose.

Further description of the service can be found here.

NOTE: This news item was originally posted on January 4, 2009

Since many of our clients have turned out to be fully capable of correcting their security issues themselves or really just wanted to get their own security corrections checked, we have now launched a service that can fulfil this need.

This service is Vulnerability Testing and is basically like Security Testing, however without Aconiac correcting the security issues and without Aconiac needing to have access to specifications about the system. A vulnerability test is therefore a real simulated attack from a hacker, so that companies can find whatever security issues a hacker would have found.

The service is sold at a fixed price of 540€ excl. VAT, with the sole exception that if your system is abnormally large or complex, Aconiac may deny to do the service at the fixed price and will instead suggest other solutions, like e.g. a real security test.

Further description of the service can be found here.

NOTE: This news item was originally posted on January 2, 2009

Aconiac Password Generator has, for some time, lacked a proper and easy way of installing the application. We have therefore now released a version with the Java Web Start technology. Java Web Start makes it easy to install the application on any system and even makes automatic updates of the application for the user – ultimately resulting in a more automated and easy process. Download the application by pressing the big green button on the product page.

If, for some reason, you do not want to use the Java Web Start version, it is of course still possible to download the application from SourceForge.net

NOTE: This news item was originally posted on December 31, 2008

Aconiac Security Group wishes you a happy new year and hope you’ll get through the evening with all fingers intact.

We’ll see you in 2009!