A security issue with the handling of configuration.php?

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

A security issue with the handling of configuration.php?

Post by rued » Wed Feb 03, 2010 4:10 pm

[posters comments removed]

I have reported this to the Security Team. If this is truly an issue, it will be taken care of.

In the future, please send suspected vulnerabilities to: security@joomla.org
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11726
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: A security issue with the handling of configuration.php

Post by brian » Wed Feb 03, 2010 4:15 pm

Sorry but i dont see how that would make a diff. There is nothing output in configuration.php

BUT "if" this is a genuine security issue then it should be reported to the JST directly and not to the forum.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Wed Feb 03, 2010 4:21 pm

Well the hosts tells their customers this is a bug in Joomla!, and that everyone can read the passwords etc for MySQL.

Anyhow, I don't see this being a hidden secret for the world and hackers with increasing use of this postings of javascript in articles.

And I don't know if this really is a serious security issue, that's why I'm asking for comments.
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Wed Feb 03, 2010 4:29 pm

A small follow up question ...

Let's say the configuration.php is chmod 444, who can read it?

As far as I know it's not accessible from web, do the hackers need access to the server before they can read it?
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11726
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: A security issue with the handling of configuration.php?

Post by brian » Wed Feb 03, 2010 4:31 pm

If they are in a position to read that file then they already have access to your server
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Wed Feb 03, 2010 4:41 pm

To the one removing the content from my first post.

If this is a issue with Joomla!, shouldn't all users be warned about this - to avoid using this "feature"?

Just my 5 cents thinking. :)

@Brian - thanks for your responses.
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11726
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: A security issue with the handling of configuration.php?

Post by brian » Wed Feb 03, 2010 4:55 pm

The content was removed by a global moderators. The correct way to report a security issue (which for the record I do not believe this is and if it is has been present since mambo days which I am sure you are aware of) is to follow the avice here http://community.joomla.org/mag-v1/arti ... -team.html
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Wed Feb 03, 2010 5:01 pm

Hm ... like you I really don't believe this is a high priority security issue, just an easy explanation from lazy hosts.

Anyway, I did not, and still don't believe it's a security hole in the code that can be misused because of this post. "Everyone" knows there is several sites around the world having chmod 666 etc on they're files, and hacker's knows it and are always looking for those anyway. This doesn't change this.

Sorry I don't agree about keeping it a secret this time, but surely respects it for now. ;)
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11726
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: A security issue with the handling of configuration.php?

Post by brian » Wed Feb 03, 2010 5:05 pm

it is not even a low priority security issue. if someone can read that file they have already compromised your server.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Wed Feb 03, 2010 5:13 pm

Yep, thanks for confirming it.

Next time a user gets this answer from a host they can ask them to explain why the hackers has access to the server and the files ...
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A security issue with the handling of configuration.php?

Post by mandville » Thu Feb 04, 2010 1:02 am

I can confirm that neither myself or PhilD edited your post, but would agree on all counts that:
* Joomla core security "breaches/concerns" go through the proper channels.
* This scenario where a file is viewable by the web page does not happen with the repeatedly stated file permissions.
* as said by Brian - if someone is to the point of reading the file on your server and its in 644 or 444 then the damage is already done.
I am sure the JSST will give an appropriate answer which you can then feed back to the forum if you wish
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Thu Feb 04, 2010 7:24 am

Just for the record!

I see some blame this to be a old isue going back to Mambo-days, both here and in other treads. But this is not fully true since in Mambo/Joomla! 1.0.x you could not overwrite the config file that easely from Joomla! when it was chmod 400/444

On suPHP servers you had to tick a box to force Joomla! to do this, on others you couldn't without first changing chmod.

I don't see this as a new unknown security hole, therefor not using the mail. Just wanted it confirmed open that the hosts are using an easy explanation.

But ... when there is a security issue on the server, and someone is already into it on a shared hosting - chmod 444 would of cource make the day easier for the hackers than chmod 400 i guess.

But again, not a security hole - but a darn anoying feature. ;)
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11726
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: A security issue with the handling of configuration.php?

Post by brian » Thu Feb 04, 2010 9:08 am

If I have server access then it will not matter what permissions you have set for the file I will still be able to read it.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Thu Feb 04, 2010 9:18 am

Hi Brian,

Hm ...what do you mean by server access, root user permissions?

What about another "normal user" with ftp or shell access on a shared server running t.ex. suPHP/FastCGI, where the files in each account is ownd by the account holders user, and the group is also same user?

I mean, why even have a option on the filsystem to use chmod 400 if it's no different between this and 444 ...?
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11726
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: A security issue with the handling of configuration.php?

Post by brian » Thu Feb 04, 2010 9:27 am

If I have hacked your server then I am likely to have root permissions. I have seen enough hacked sites and the tools left behind to know
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Thu Feb 04, 2010 9:49 am

If you have hacked the server yes, but again - what if only having access through another user account?

Or will you claim that every site hacked also means the hole server is compromised?
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A security issue with the handling of configuration.php?

Post by mandville » Thu Feb 04, 2010 12:01 pm

If you are on one account, and the host doesnt have jail shell then you could obviously roll where you want and do what you want.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
ilox
Joomla! Explorer
Joomla! Explorer
Posts: 444
Joined: Thu Aug 25, 2005 3:29 pm
Location: Adelaide, South Australia
Contact:

Re: A security issue with the handling of configuration.php?

Post by ilox » Thu Feb 04, 2010 3:10 pm

rued wrote:Just for the record!I see some blame this to be a old isue going back to Mambo-days, both here and in other treads. But this is not fully true since in Mambo/Joomla! 1.0.x you could not overwrite the config file that easely from Joomla! when it was chmod 400/444

On suPHP servers you had to tick a box to force Joomla! to do this, on others you couldn't without first changing chmod.
I don't get it Rune, you are talking as if it was possible for another user to somehow approach this file from the Internet and overwrite it or otherwise compromise the integrity of it.

I am not even close to the same league of knowlwedge and experience as the other posters that have been attracted here but I have no idea why you would think such a move possible. IF the administrator for that site has set the permissions properly to 644 or stronger then access from the Internet is not possible. If I have that wrong then please feel free to show me how it could be done.

I am not talking about a compromised account where they have somehow obtained the passwords and thus have Admin access. I am not talking about where hackers may have taken over a server through other compromised accounts and through poor server security have jumped from one account to another. You seem to suggest that access from the Internet is possible and I just don't see it is possible.

And Rune, from what I can recall when I started with Mambo in 2005 there were scare stories regularly arising where somebody had noticed the MySQL data was in clear text and they screamed blue murder. So yes, it has been in there for a LOOOONG time that I can recall.
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Thu Feb 04, 2010 3:51 pm

No you don't get it, as I have not talked about direct access from internet. Were did you get that idea from I wonder.

Edit! Related topic posted of another user: http://forum.joomla.org/viewtopic.php?f=432&t=485552
(Have a feeling someone needs to change this feature, or start educating those hosts, or ... reply to more and more of these posts. ;))
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: A security issue with the handling of configuration.php?

Post by PhilD » Thu Feb 04, 2010 6:44 pm

rued wrote:Edit! Related topic posted of another user: http://forum.joomla.org/viewtopic.php?f=432&t=485552
(Have a feeling someone needs to change this feature, or start educating those hosts, or ... reply to more and more of these posts. ;))
I just answered that topic and I also just did some testing. Joomla does change permission on the configuration.php file when saving. If I have my configuration.php file set to 400 (read only by owner, no access by group or other) and upon saving the file, the permissions will change to 444 which is still read only ( read only for owner, group, other) just not as tight as 400. If I have the configuration.php file set to 644, then upon saving changes to the file, the permissions change to 444. At no time did the file get left at a permission higher than 444, and certainly not at something that is unsafe. I consider this an ease of use feature that does not compromise security of the file as 444 is tighter than 644. It would be nice if the code did something like this:
if < 444 then set to 400 elseif >= 644 set to 444 upon saving but it is not necessary.

Can someone read the file? Not likely without breaking out of jail, compromising another account on the server (inherent issue with shared hosting), improper server setup allowing listing of files (allowing directory listing, which some hosts still do, or site admins do through htaccess for some unknown reason), compromise of Joomla itself through 3rd party vulnerable extensions, and/or outdated Joomla core files.

If a server is improperly setup and requires permissions of 666 (read write for owner, group, other) or higher (777), then it is suggested that the person find another host or request that the existing host move their site to a server that is more secure and properly setup for use in modern website environments. Though personally, (personal opinions here) I would look for a better host. As another opinion there are some very popular hosts out there that do not have or care about security, or proper setup. They thrive on volume of users not on quality of service or security.

How do you propose we 'educate' hosts that are not secure and want to blame the software on a domain for all problems? I read a lot of complaining that 'this issue' should be fixed and/or hosts should be educated' but no proposals. The only way I can think of is to either point them to the wealth of information contained on the Joomla documentation site and or vote with your money and go elsewhere.

Test environment:
PHP Built on: Linux 2.6.32.2-grsec #1 SMP Fri Dec 25 20:57:53 PST 2009 x86_64
Database Version: 5.0.87-community
Database Collation: utf8_general_ci
PHP Version: 5.2.9
Web Server: LiteSpeed
Web Server to PHP interface: litespeed
Joomla! Version: Joomla! 1.5.15 Stable [ Wojmamni Ama Mamni ] 05-November-2009 04:00 GMT
User Agent: Mozilla/5.0 Firefox/3.5.7
Hosting: Shared
Permissions changed by ftp.
Joomla administration backend used to make changes to configuration.php file and saved.
Ftp confirmed permission changes Joomla made.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

wagtail
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Thu Aug 30, 2007 6:35 pm

Re: A security issue with the handling of configuration.php?

Post by wagtail » Fri Feb 05, 2010 8:47 pm

It's hard to follow what this problem is.
Could it be related to the 'feature or bug' discussion we had some time ago?

Here: http://forum.joomla.org/viewtopic.php?f=432&t=378409
or Here: http://forum.joomla.org/viewtopic.php?f=432&t=357143

I think some of us worked round the feature, but I see folks are still being advised to move their configuration.php without addressing the permissions thing.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: A security issue with the handling of configuration.php?

Post by PhilD » Sat Feb 06, 2010 12:18 am

I agree this thread is hard to follow and I think it has to do with Joomla changing permissions, though that's not entirely clear.

There is another topic with similar questions also active right now.
http://forum.joomla.org/viewtopic.php?f ... 7#p2029437
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
ilox
Joomla! Explorer
Joomla! Explorer
Posts: 444
Joined: Thu Aug 25, 2005 3:29 pm
Location: Adelaide, South Australia
Contact:

Re: A security issue with the handling of configuration.php?

Post by ilox » Sat Feb 06, 2010 5:28 am

Ok, so we consolidate discussion here and keep things together I have just done another test of the changes to params.ini. This time I checked the permissions, and adjusted them to 644 from within CuteFTP. Then I went into Admin and switched params around, saved them then exited the site. No Extensions were run to do any of this. Only Core Joomla!.

File is clearly 644.
Image
After changing parameters and saving it the file is now clearly 555.
Image

This has nothing to do with any noticeable extensions - though it did start to change around the time a few months back when I updated JCE. But I cant see that that has any relevance, it is just offered for completeness.

Edits to correct images
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life

wagtail
Joomla! Apprentice
Joomla! Apprentice
Posts: 31
Joined: Thu Aug 30, 2007 6:35 pm

Re: A security issue with the handling of configuration.php?

Post by wagtail » Sat Feb 06, 2010 12:14 pm

For params.ini, this occurs because the code specifically intends it. It's why I said it's "normal".

To offer a solution as Phil suggests, just change the set permissions for the first step (make writeable) to 0644
Then change the second step (make unwriteable) to 0444

But, there is still an open issue about the ftp enabled argument.
That is, it appears to me that this action should only occur when ftp is enabled (if ftp enabled argument). But that is not the case, it will happen when ftp is not enabled. We tried to get to the bottom of it on this board some months ago without success.

For the params.ini problem, the basic code snippet appears in the controllers.php

Code: Select all

// Try to make the params file writeable
			if (!$ftp['enabled'] && JPath::isOwner($file) && !JPath::setPermissions($file, '0755')) {
				JError::raiseNotice('SOME_ERROR_CODE', JText::_('Could not make the template parameter file writable'));
			}

			$return = JFile::write($file, $txt);

			// Try to make the params file unwriteable
			if (!$ftp['enabled'] && JPath::isOwner($file) && !JPath::setPermissions($file, '0555')) {
				JError::raiseNotice('SOME_ERROR_CODE', JText::_('Could not make the template parameter file unwritable'));
			}

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Sat Feb 06, 2010 1:21 pm

Thanks for testings, comments etc.
PhilD wrote:Can someone read the file? Not likely without breaking out of jail, compromising another account on the server (inherent issue with shared hosting), improper server setup allowing listing of files (allowing directory listing, which some hosts still do, or site admins do through htaccess for some unknown reason), compromise of Joomla itself through 3rd party vulnerable extensions, and/or outdated Joomla core files.

If a server is improperly setup and requires permissions of 666 (read write for owner, group, other) or higher (777), then it is suggested that the person find another host or request that the existing host move their site to a server that is more secure and properly setup for use in modern website environments. Though personally, (personal opinions here) I would look for a better host. As another opinion there are some very popular hosts out there that do not have or care about security, or proper setup. They thrive on volume of users not on quality of service or security.
Our problem now is some hosts blame Joomla! and it's developers for sites getting hacked on their servers - because the files is set to 444 or higher. Readable for all as they say it.

I don't recommend those host, simply because of how they respond to - and treat their customers. But the majority of they're customers will believe them, and their campaign against Joomla! and other free software - no reason the customers shouldn't if they don't know better.

And also, when an up to date Joomla! site with no or few extensions, whit all security precautions taken gets hacked you wonder why. And it then seems reasonable what the host tells you, they should know what they are talking about (even if they don't do).

I also believe, with this knowledge, that "accusing" outdated extensions is as easy/lazy as those hosts accusing Joomla! - but this is another discussion I guess.

That leads us to next part ...
How do you propose we 'educate' hosts that are not secure and want to blame the software on a domain for all problems? I read a lot of complaining that 'this issue' should be fixed and/or hosts should be educated' but no proposals. The only way I can think of is to either point them to the wealth of information contained on the Joomla documentation site and or vote with your money and go elsewhere.
Easy thing to do would be to write down an official guide/doc about this, telling how it's is and why. Why it's not unsafe to have 644/444, why it's bullshit that it's safer to have it 400 (that's at least what all seems to tell us her at the moment).

Sorry I can't write this doc, even if I already spend hundreds of hours each year on Joomla!, I'm just not a server admin/guru. If I fully did understand why it's not more unsafe to use 444 compared to 400, I might have contributed also with this.

Anyhow, if there was such a official documentation on this we could simply point the users and host to this - and recommend the users to spend their money elsewhere if the host keeps up with their bullshit talk.

But that being said, most people will think when they set those config files to chmod 444/440/400 they are write protected also for Joomla! - and there is lot's of site where I think this is needed too, as long as the ACL is as it is. I simply believe that the need for making things easy has gone too fare at some areas ...

Just to round up this, from my side, I will try to translate a dialogue between one host and their customer - with permission from the customer to do this:
The Customer wrote: Hello,
The fact that the chmod is sett to readable for all is not the same as all can read it.
The Host wrote: Eh, yes.
It's not something magical about file rights. If the file rights for a file is sett so it's readable to all, it's redable to all.
The Customer wrote: It then at least seems like ther is some major weaknesses, yes a safety hole, that is special for {hostname} and your technical setup.

Many well known experts on Joomla! claims that this file can not be read by all,just becaus it's chmod 444. The conclusion from those people is that if any outsiders can red this file they're already inside the server.
The Host wrote: This then tells something about those experts. Joomla! developers is not excactly in a position to educate others about safety, just look at the safety historic at t.ex. Secunia.

When a file is set readable to all, it's readable to all. To sett the correct chmod on files is probably the most important thing to do with security on a web hotel, as part of the nature of shared hosting.

Yes, there is technical solutions who could help - so you don't need to worry about what others do. It's called "dedicated server" or dedicated virtual server" , which is another kind of product where you don't have other users on the same server.

See: {link to hosts faq about how to avoid getting hacked}
The Customer wrote: This is discussed here:
http://forum.joomla.org/viewtopic.php?p ... 1#p2025941
* Joomla core security "breaches/concerns" go through the proper channels.
* This scenario where a file is viewable by the web page does not happen with the repeatedly stated file permissions.
* as said by Brian - if someone is to the point of reading the file on
your server and its in 644 or 444 then the damage is already done. I am sure the JSST will give an appropriate answer which you can then feed back to the forum if you wish
So the question is: Why has someone from the outside been into the database? We believe it's one or more servers at {hostname} that has been hacked, and if that is the case you should admit it, in stead of accusing your customers.
The Host wrote: I have documented that the chmod was set so the file was readable for all.

When chmod is set this way it does not require any outstanding hacker talent what so ever. You have then opened up for all to read your MySQL password, and by that given access to do almost what they want to with your Joomla! installation
This is what we are facing now, and it's not giving anyone her or in core any credits or glory, from this host. A host I know have hundreds/thousands of Joomla! users, as long as they dear staying Joomla! users ...

Btw: Link to the Secunia list the host "hold as evidence":
http://secunia.com/advisories/search/?s ... rt_by=date

- it tells us something about the host ... Lots of Joomla! extensions listed yes, but I didn't find much about Joomla! core in it: http://secunia.com/advisories/search/?s ... oomla+core
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A security issue with the handling of configuration.php?

Post by mandville » Sat Feb 06, 2010 2:26 pm

In my course of investigation i dug deep into the cpanel archive, i didnt dig directadmin, plesk or lxadmin as they are possibly not as common as cpanel. this is what i gathered.
There's no need to set the files to nobody so Apache can access them as Apache doesn't need the files to be owned by nobody for them to be accessible.
That's why the files are 644 or rw-r--r-- - that is, they're readable to everyone including Apache. |ccess control is enforced via the permissions on the public_html directory.

If you have a PHP script creating files, it will do so under the user's uid and gid and you should ensure that files and directories created have the world read bit set (ie mode 755 for directories and mode 644 for files). You'll only need to worry about this if these files are .html or .htm and are directly accessed by apache, which is unusual.

644 means that files are readable and writeable by the owner of the file and readable by users in the group owner of that file and readable by everyone else.
755 is the same thing, it just has the execute bit set for everyone. The execute bit is needed to be able to change into the directory. This is why directories are commonly set to 755.

Now in a suPHP environment, PHP files can just as easily be set to 600. This is because the PHP files are read by the web server as the username specified in the virtualhost section in Apache. In a non-suPHP environment though, PHP files are still read by the apache user and therefor would require a world-readable bit. Again, this would only apply to PHP parsed files, not regular .html or .htm files.

Most scripts have separate config files which include login information. And yes, for those files I would recommend that they are set to a permission setting of 600 to prevent others from reading it. Other PHP files could also be set to 600, but you're really not saving yourself anything if the PHP files have no critical information included. For example, setting the permissions to Wordpress's main index.php file to 600 kind of defeats the point because someone can just download Wordpress from Wordpress's site and read the index.php file.

suPHP and PHP as CGI really are not a standard. PHP developers cannot recommend to set the permissions on the files to 600 because if PHP is running as a DSO module on the server, then using 600 permissions will not work. This is one reason why I think suPHP and PHP as CGI should be standard on any shared hosting server, but the owner of that server or the owner of the account on that server needs to realize that it is important to set the permissions on these config files to 600 and ignore the recommendations in the software's specifications.



phpSuExec | suPHP
-----------------------
755 (owner:owner) Folders
600 (owner:owner) PHP Scripts
400 (owner:owner) Configuration Files (config.php, etc)
600 (owner:owner) Script files requiring WRITE access
640 (owner:nobody) Non-Script Files, HTML, Images, etc
750 (owner:nobody) CGI/Perl Scripts

If no access to setup group ownerships then set Non-Script files to 644 and CGI / Perl Scripts to 755


DSO (Apache Module)
--------------------------
750 (owner:nobody) Folders
640 (owner:nobody) PHP Scripts
640 (owner:nobody) Configuration Files (config.php, etc)
660 (owner:nobody) Script files needing to have "WRITE" access
640 (owner:nobody) Non-Script Files, HTML, Images, etc
750 (owner:nobody) CGI/Perl Scripts

If no access to setup group ownerships then set Folder to 755, PHP Scripts and Configs to 644, Non-Script files to 644, Write Files to 666, and CGI / Perl Scripts to 755

under SuPHP (where the OWNER bit is relative), you can set PHP scripts as tightly as 0400 and they would work fine though 0640 is most common.
0750 / 0755 Folders (OWNER = Owner Login : GROUP = nobody) /
Alternate if not able to set GROUP

0600 General PHP Scripts

0400 Configuration Scripts (IE: config.php) and / or
scripts that complain about being insecure or WRITABLE

0640 / 0644 General Files or Files that need WRITABLE access and this
includes all your standard HTML files, Stylesheets, Images, Media Files, Etc.

*** These would be the ones the script authors tell you incorrectly to do 0777 ***

750 / 755 Perl / CGI Scripts
http://forums.cpanel.net/f5/permissions ... 39133.html is a good piece

i agree with your comment that the host looked at "joomla" in general and decided that joomla itself was a security risk. eg i add "spinners" to my ford car that come off an injure someone so all ford cars are nasty

each server is different and we are still looking for the code where it changes the permission on files on saving. what "mask" does the host say they have their php.ini set at?

I know that Brad wrote a lovely piece on suphp and permissions but cant track it atm.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Sat Feb 06, 2010 2:59 pm

mandville wrote:what "mask" does the host say they have their php.ini set at?
Sorry, don't know what you put in "mask", could you please specify the question?
I know that Brad wrote a lovely piece on suphp and permissions but cant track it atm.
Guess it's these blogs you're thinking of(?):
http://community.joomla.org/blogs/leade ... -time.html
http://community.joomla.org/blogs/leade ... en-up.html
http://community.joomla.org/blogs/leade ... oomla.html

(Note! This host quoted above was one of the first migrating to suPHP in Norway.)
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: A security issue with the handling of configuration.php?

Post by mandville » Sat Feb 06, 2010 3:20 pm

rued wrote:
mandville wrote:what "mask" does the host say they have their php.ini set at?
Sorry, don't know what you put in "mask", could you please specify the question?
for mask/unmask read
http://www.cyberciti.biz/tips/understan ... usage.html
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: A security issue with the handling of configuration.php?

Post by PhilD » Sat Feb 06, 2010 4:16 pm

what "mask" does the host say they have their php.ini set at?

Sorry, don't know what you put in "mask", could you please specify the question?
I was going to point to the wiki article on umask (http://en.wikipedia.org/wiki/Umask), but your link may be easier to understand. I used to see and refer to the article 'that can't be found" all the time. I think it was in the security faq's for 1.0.xx and has now disappeared. I always thought it was written by Russ, but may have been written by Brad. It was a good article
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
rued
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4791
Joined: Fri Sep 16, 2005 10:23 pm
Location: Finland / Norway
Contact:

Re: A security issue with the handling of configuration.php?

Post by rued » Sun Feb 07, 2010 2:10 pm

mandville wrote:what "mask" does the host say they have their php.ini set at?
Host wrote:We have not set any umask for php.ini

Standard umask is 0022 ... etc etc ...
Rune Rasmussen - http://www.syntaxerror.no
Norske nettløsninger og integrasjoner, CONSIGNOR EDI, Mamut ordreimport og produkteksport, kortbetaling og faktura m.m.

Norsk Joomla! - Norwegian Translation Team - http://www.norskjoomla.no


Locked

Return to “Security in Joomla! 1.5”