Securing File Uploads

We’ve noticed recently a small number of customer websites have had issues with defacements and generally having malicious content added to them and they’ve all had one thing in common – The way in which they were hacked. In all instances recently it has been down to the sites allowing users to upload content to them.

The problems with this are:

  • Most scripts upload to a publicly accessible directory
  • Most scripts don’t even perform basic content checks
  • Most scripts allow any type of file to be read/executed from the upload directory

When we combine all 3 together we end up with a situation where someone can upload a PHP script to your uploads directory and then trigger the running of it from their web browser – basically giving themselves the same level of access to your account as you would have via FTP (As we run PHP under each users own username via SuPHP so that one users problems can’t affect another user).

So what do we recommend?

  • Keep your upload directory outside of your document root (generally public_html) if you possibly can
  • Make sure your upload scripts only allow the content you want to be uploaded – basically check it against a whitelist, if it’s not in the whitelist don’t allow it. Deny everything, allow only what you require
  • Make sure only content you allow can be accessed from the upload directory, you can do this with a .htaccess file, an example is shown below:

Allow only JPEG, GIF and PNG files to be accessed:

<FilesMatch ".*">
 Deny from all
</FilesMatch>

<FilesMatch ".(jpe?g|gif|png)$">
 Allow from all
</FilesMatch>

There are more things that can be done, but these should serve as a starter for improving your site security.

osCommerce & WordPress Exploit

We’ve been made aware of a new exploit that appears to have been launched today that is so far targeting WordPress and osCommerce installations. If you are running either of these pieces of software we recommend that you upgrade to the latest version as soon as possible. With osCommerce we would actually recommend you switch to an alternative product such as Zen Cart, as the development process is very slow and often stagnates.

The exploit itself creates .htaccess files in any directory where it has write permissions and places the following two lines in it, or on the end of an existing .htaccess:

AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html
/tmp/25454b22bf39c75795851f39d5e347c4

The file: /tmp/25454b22bf39c75795851f39d5e347c4 claims to be mini suhosin, part of the Suhosin PHP security software, this is not the case. The exploit also tries to leave a back door shell in to infected system by leaving a shell process called minisuhosin running.

Linux Vulnerability CVE-2010-3081 – Local but serious

As many of you will no doubt be aware there has recently been a vulnerability with 64bit Linux announced that allows a local system user to gain root level system access. Whilst these things do happen from time to time, the problem at the moment is that a lot of vendors do not have a new kernel with the security hole patched. To make things worse, the exploit that is out in the wild installs a back door in to your systems as well, so even when patched they will still have root level access to your system!

Whilst many are saying this isn’t a major issue as it is only exploitable by having local machine access, it’s actually bigger than a lot of people realise in a web hosting environment as users are allowed to execute their own PHP and Perl code or install 3rd part scripts – what we’re seeing lately is that many such user and 3rd party applications have many holes in them that allow arbitrary code to be executed or even uploaded on to servers and then executed. Both situations effectively give a local user account (that of the web server user, or the account user depending on how the system is configured). One of the biggest causes of such problems are scripts that allow users to upload images or other files to a website – the vast majority of them do not check to make sure it is an image, or a PDF or a text file etc. that is uploaded – we’ve seen recently that a lot of these scripts allow users to upload PHP scripts for example instead of an image and of course once it’s in the images directory it can be executed like any other PHP.

There is currently a workaround for the specific exploit out in the wild, but they do not protect from any new exploits that may utilise the same security hole. The only solution ready at the moment appears to be that from KSplice.com – Which our managed hosting customers will be pleased to know we’ve been installing on all of your servers for the past few weeks now. For our un-managed customers you can also have KSplice but unfortunately for you there is a small charge for this, of £2.50 + VAT per copy – If you would like it installing then please open a ticket with us and we’ll get it done for you ASAP.

Get an EV SSL Certificate for £99.95/year

That’s right, you can now get an Extended Validation (EV) SSL security certificate for only £99.95 + VAT per year! That’s a saving of over £250 on a 2 year certificate.

What is an EV SSL?

Extended Validation Certificates are designed to work with web browsers since Internet Explorer Version 7 (and Firefox, Chrome, Opera, Safari) and provide users with a green address bar and scrolling information next to the address bar displaying who the certificate is registered to and who issued it as well as that the business is registered with the correct government bodies. This provides instant reassurance to visitors using a compatible browser that your site is secure and trustworthy – just like they see when they login to their online banking.

Why would I want an EV SSL?

These certificates are designed to provide absolute peace of mind for their users. They are issued under strict validation by all issuers to ensure that they are only issued to the company whose name they are issued in and that the department/person requesting the certificate has authority to do so – meaning that rogue employees and criminal gangs cannot get an EV SSL issued in your company name and commit fraud.

If you’re carrying out online sales then an Extended Validation SSL is the ultimate in confidence for your users that you are whom you say you are and that their data will be safe in transit to you.

If you’d like to order an EV SSL then please email us – sales@support.kdaws.com or alternatively, if you’d just like a standard SSL certificate then we can offer those as well, you can find more information about them on our SSL certificates page.