suhosin
suhosin copied to clipboard
sektioneins
Suhosin upload verification script
I’ve included suhosin extension into DirectAdmin package management tool. However, there seems to be a bug in suhosin extension. I’m running PHP as PHP-FPM, if there is no script at all it still thinks the file does exist and shows: May 8 13:56:06 testing suhosin[31355]: ALERT - fileupload verification script disallows file - file dropped (attacker 'xx.62.57.xx', file '/var/www/html/roundcube/index.php’)
While the error should be: unable to execute fileupload verification script /path/to/the/script - file dropped
If I use a correct path to the upload verification script (it’s chmod +x) and just does:
!/bin/sh
echo 1; exit;
[root@testing custombuild]# ls -l /usr/local/php56/bin/php_uploadscan.sh -rwx--x--x 1 root root 116 May 8 14:04 /usr/local/php56/bin/php_uploadscan.sh
It does still show: May 8 13:56:06 testing suhosin[31355]: ALERT - fileupload verification script disallows file - file dropped (attacker 'xx.62.57.xxx', file '/var/www/html/roundcube/index.php’)
If I chmod it to 755 (+r), then the script works fine… So I think there should be a check if suhosin is able to execute the script, and if not - do not use it at all (do not drop files).
Also, I think it would be great to include the script name to the following alert: "fileupload verification script disallows file - file dropped”
Thank you!
How did it go? I got several new reports about the problem, however I wouldn't like to remove suhosin from the project because of that.
Great, thanks! Would it be possible to have a setting which would not drop the files if "upload verification script" does not exist or is not executable?
It seems to be a bad idea to not drop files if there is a problem with the script. It is best to default to otherwise people might never realize that their filter script is not working.
Yes, but the same could be said from the other point of view: if configuration line is still added to php.ini, but user accidentally removed the file or just transferred the php.ini file from his other server, his customers should call and notify him that all of the files are dropped. Another scenario: a client adds upload verification line to php.ini, but makes a typo, and leaves his huge web hosting server to work. That really wouldn't increase the reputation of the hosting company. In web hosting sphere that means less stability. I am not asking to change the defaults, I just say it would be great to have an ability to change the setting's behavior. Or, if suhosin has an ability to do that, just show a PHP Notice in case it's not possible to use the upload script, but not to drop the files. Thank you for understanding.
I had installed suhosin on two servers with cpanel. The issue seem that when the upload verification script does not allow uploaded file there is no message in /var/log/messages and neither in error_log files in user home directory. I do not know if is a suhosin problem or a cpanel enviroment problem. On those two servers we use the latest suhosin but on other server for example we use the suhosin provided by cpanel ( v0.9.33) and there seem to work well.
Any ideea ?
@TempleNode: Please provide additional information: PHP versions and variants (e.g. CGI, mod_php,....), Suhosin-Configuration (in particular suhosin.log.* ), verification script. Does Suhosin usually log to /var/log/messages on that server? Is your verification script working properly? Maybe you do not have the suhosin patch, but try to use constants such as S_ALL with suhosin.log.*?
It is also important to know what you mean by "latest" Suhosin. Only a github checkout gives you the "fixed" version at the moment.
PHP 5.4.31 (cgi-fcgi) (built: Aug 17 2014 19:40:53) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies with XCache v3.1.0, Copyright (c) 2005-2013, by mOo with the ionCube PHP Loader v4.6.1, Copyright (c) 2002-2014, by ionCube Ltd. with XCache Cacher v3.1.0, Copyright (c) 2005-2013, by mOo with Suhosin v0.9.37-dev, Copyright (c) 2007-2014, by SektionEins GmbH
I had tried different configuration even to create a separate files where to log those alerts. When i had posted two days ago than was installed so it was the latest in that time.
Yes upload script working fine. The file is blocked i get errro code 402 which is set in configuration just i do not get warning message that file was droped.
On other servers when suhosin was installed from cpanel sources seem to work fine.
Hello,
for me taking out "2>&1" from ufilter.c helped.
I used latest suhosin from Github (597ab68817b833547d99bd9bf7cd47d728e24fef). PHP runs as CGI, I have tested 5.3.29, 5.4.32, 5.5.16 and 5.6.0.
My verification script executes another script:
#!/bin/sh
file="$1"
CHECK=`/opt/maldetect/maldet --config-option quar_hits=1,quar_clean=0,clamav_scan=0 --modsec -a "$file"`
if [ "$CHECK" = "1 maldet: OK" ]; then
echo 1;
else
echo 0;
fi
With "2>&1" I always get "fileupload verification script disallows file - file dropped".
If I use
#!/bin/sh
echo 1;
as verification script it worked with "2>&1".
Well my guess is that maldet outputs something to stderr which disturbs your checking script's logic in case stderr is redirected to stdout by 2>&1
I thought that too. If I execute the commands as root on console, I do not get different outputs with or without "2>&1". I tried to exec() both (script and maldet) in PHP, no difference.
I edited the uploadcheck script to log to a file. maldet was executed and gave a positive result, but although suhosin logged that the uploadscript disallowed the file.
...
if [ "$CHECK" = "1 maldet: OK" ]; then
echo 1;
echo "OKOKOK" >> /tmp/up.log
else
echo 0;
fi
In my log I found "OKOKOK" but the file upload was disallowed.