php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #64437 [feature request] log of php writes to local files
Submitted: 2013-03-15 23:21 UTC Modified: 2013-03-28 02:39 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: spamik at yum dot pl Assigned:
Status: Open Package: Filesystem function related
PHP Version: 5.4.13 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-03-15 23:21 UTC] spamik at yum dot pl
Description:
------------
As you probably know there are a lot of security bugs in current world php 
aplications. Using these bugs attacker executes his own code that writes to a 
new .php files (usualy) or modyfy existing one - putting there his malicious 
"botnet zombie" code.
It is really hard to quick and efectivly detect changes on filesystem/kernel 
level, especialy if where are talking about monitoring milions of directories 
(as in popular shared hosting).

I propose making php file write log (to a file defined in php.ini). Operations 
that write to local files should be logged there (file_put_contents() and all 
fopen() except 'r' and 'r+' mode) Log should contain:
unix_timestamp<SEPARATOR>absolute path of file that used write 
function<SEPARATOR>absolute file of modified file

<SEPARATOR> could be '\0' as it can't be in filename anyway. Other solution 
would be to escape paths as those can contain spaces etc.

most of this code should probably go to ext/standard/file.c
I've made very very crude implementation of this for myself but that is really 
bad code because I lack c skills. It actualy seg faults in some cases. So I wont 
even share it, no point.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-15 23:27 UTC] spamik at yum dot pl
Just to clarify that log would actualy be later on used by user land aplications 
that would scan those files that were writen to.
In light of what is happening with php aplications, mass hacks, botnets, people 
are moving to other languages that are more obscure just for their obscurity. PHP 
really need to counteract and provide functionality like one I propose.
 [2013-03-18 20:23 UTC] spamik at yum dot pl
Only writes to files with selected extensions (by php.ini, like php|htm|html|js) 
should be logged.
 [2013-03-25 22:17 UTC] mail+php at requinix dot net
But a setup shouldn't allow PHP to do anything to files in the first place (with 
possible exceptions for things like file uploads). Directories should be locked 
down to 0755 or better, files to 0644 or better, and the web server/PHP running as 
a very under-privileged user like "nobody". Then there's no risk of creating new 
files or overwriting code or really any kind of modifications at all.
 [2013-03-28 02:39 UTC] spamik at yum dot pl
That might be good in a perfect world but php also needs to write to files - for 
example auto updates, log files, instalation of extensions, file uploads.
Setup you are describing is like 199X year. Nobody can't provide such rescrictive 
eviroments now for hosting because aplications depend of file writes and even 
self-modifying writes (updates).
Also executing code as one user under shared conditions? BIG NO.
apc, fastcgi, fcgid way of running php default setup conforms to what I'm saying.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Oct 17 15:01:26 2018 UTC