Bypass without PHP References?
ConradSollitt opened this issue · 4 comments
Hi @mm0r1
Incredible work you have published!!!
This is among the best (if not the best) PHP code that I have seen in many years.
Currently all of your published scripts require PHP reference syntax; do you have any bypass code that works without references?
I have a unique situation where I allow end-users to publish PHP code on a server with minimal restrictions, so I’m very interested in the work you are publishing.
Based on your work I found it worked perfectly for a custom build of PHP which I had published. I ended up making some updates to handle the issues you found but I expect there are more to be discovered which is why I’m always interested in PHP security.
Hi, all the exploits in this repo can be rewritten without having references. I'm using them for convenience, but they are not an integral part of any exploit. Besides that, the fix in fastsitephp/playground@f74d134 can be bypassed in many different ways, e.g. & $var, &/**/$var, eval($_POST['payload']); etc.
There is no safe way to run untrusted PHP code, but you can reduce the potential impact by containerizing your application and setting up the appropriate file permissions, resource limits and firewall rules. Relying on php.ini settings doesn't provide any additional security due to the abundance of memory corruption vulnerabilities in PHP.
Thanks for your help and the detailed feedback.
I've considered Docker and even Amazon's MicroVM Firecraker https://firecracker-microvm.github.io/ but the the time being was able to get every thing setup using Apache.
For the time being I'll keep my current setup in place (site doesn't get enough traffic and server doesn't have and security sensitive items on it). Basically I use a custom build of PHP where I modified some keep file IO so end-users cannot easily write files outside of their own site. I think in the near future I'll spend more time on the custom build of PHP I use to disable the functions without php.ini based on your exploits.
I ended up reverting the simple logic to check for references so they are now allowed again.
In more testing I found php-concat-bypass was the one that would work reliably in my environment so I ended up disabling shell_exec and related functions directly in the PHP build. Soon I'll disable many more in the same manner but this at least makes it much harder for the average person to write a file through code.
fastsitephp/playground@28f9a15
Thanks again for your great project and help!