psecio / iniscan Goto Github PK

This is what i'm getting when running it against my homebrew php5.5 standard php.ini

[InvalidArgumentException]
Unknown path register_globals

Any ideas?

I'm using the latest version of iniscan and PHP 5.5. My php.ini file does not contain any deprecated directives but iniscan reports errors for them (I've filed a similar issue last year: #47).

$ vendor/bin/iniscan scan
== Executing INI Scan [08.11.2014 07:11:55] ==

Results for /etc/php/cli-php5.5/php.ini:
============
Status | Severity | PHP Version | Key                      | Description
----------------------------------------------------------------------
...
FAIL   | ERROR    |             | magic_quotes_gpc         | Magic quotes automatically adds quotes to incoming data ('Off' recommended)
FAIL   | ERROR    |             | magic_quotes_runtime     | Magic quotes should be disabled at runtime in addition to being off for incoming data
...
FAIL   | ERROR    |             | safe_mode                | It's not actually 'safe' ('Off' recommended)
...

19 passing
5 failure(s) and 13 warnings

Where in the source code does iniscan check if a configuration directive exists in php.ini?

I tried the following and it gives me the below error

curl -LSs http://box-project.org/installer.php | php
php box.phar build

[RuntimeException]
The configuration file could not be found.

build [-c|--configuration="..."]

I also tried the following but looks like configuration is some kind of json file
php box.phar build --configuration="/etc/php5/cli/php.ini"

Since PHP includes additional ini files at runtime using --with-config-file-scan-dir, some configuration might be missed.

This kind of thing can be detected in the PHP instance for the currently loaded ini settings using php_ini_scanned_files().

They usually contain extension config, but could additionally set base PHP ini settings.

Consider providing different contexts for rulesets ("development" vs "staging" vs "production") if this doesn't already exist.

If the php.ini doesn't define all directives that are checked, the scan will produce an incorrect result if the rule requires a value the same as the PHP default.

Example:

Environment is PHP 5.3 on Mac OX 10.8

$ php -v
PHP 5.3.15 with Suhosin-Patch (cli) (built: Dec  9 2012 19:32:02) 
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

The ini file in use is empty except for section headers (due to #57) :

$ head -5 php.ini.sections-only 
[PHP]
[Date]
[filter]
[iconv]
[intl]

When PHP is run with this ini file, safe_mode is Off (the default in 5.3).

$ php -i -c php.ini.sections-only | grep '^safe_mode =>'
safe_mode => Off => Off

The scan output shows "FAIL" for safe_mode:

$ bin/iniscan scan --path=php.ini.sections-only --fail-only

Results for php.ini.sections-only:
============
Status | Severity | Key                      | Description
----------------------------------------------------------------------
FAIL   | ERROR    | session.use_cookies      | Accepts cookies to manage sessions
FAIL   | ERROR    | session.use_only_cookies | Must use cookies to manage sessions, don't accept session-ids in a link
FAIL   | WARNING  | session.cookie_domain    | It is recommended that you set the default domain for cookies.
FAIL   | ERROR    | session.cookie_httponly  | Setting session cookies to 'http only' makes them only readable by the browser
FAIL   | ERROR    | session.use_trans_sid    | If used 'use_trans_sid' setting puts the session ID on the URL, making it easier to hijack
FAIL   | ERROR    | session.cookie_secure    | Cookie secure specifies whether cookies should only be sent over secure connections.
FAIL   | ERROR    | allow_url_fopen          | Do not allow the opening of remote file resources ('Off' recommended)
FAIL   | ERROR    | allow_url_include        | Do not allow the inclusion of remote file resources ('Off' recommended)
FAIL   | WARNING  | display_errors           | Don't show errors in production ('Off' recommended)
FAIL   | WARNING  | log_errors               | Log errors in production ('On' recommended)
FAIL   | ERROR    | magic_quotes_gpc         | Magic quotes automatically adds quotes to incoming data ('Off' recommended)
FAIL   | ERROR    | magic_quotes_runtime     | Magic quotes should be disabled at runtime in addition to being off for incoming data
FAIL   | ERROR    | safe_mode                | It's not actually 'safe' ('Off' recommended)
FAIL   | WARNING  | max_input_vars           | A maximum number of input variables should be defined to prevent performance issues
FAIL   | WARNING  | display_startup_errors   | Showing startup errors could provide extra information to potential attackers
FAIL   | WARNING  | open_basedir             | Restricting PHP's access to the file system to a certain directory prevents file-based attacks in unauthorized areas.
FAIL   | WARNING  | error_reporting          | Error reporting should be different based on context, off in production
FAIL   | WARNING  | upload_max_filesize      | A maximum upload size should be defined to prevent server overload from large requests
FAIL   | WARNING  | memory_limit             | A memory limit should be defined to prevent server overload from large processes
FAIL   | WARNING  | disable_functions        | Methods still enabled - exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec

8 passing
20 failure(s)

Limiting the max_input_vars to something reasonable can help prevent things like DoS from overloading. Should be a "warning".

If the scan passes, one could should be retuned (?) and on any failures another.

Not sure offhand what these should be or if the Symfony Console component supports these return codes. This is so that other apps running it can determine pass/fail without needing to parse the output.

Hi,

There is problem when installing using composer global,

• ocramius/instantiator 1.1.2 requires php ~5.3 -> your PHP version (7.0.3) or "config.platform.php" value does not satisfy that requirement.

because of out of date dependency ocramius/instantiator, which is apparently abandoned:

This package is abandoned and no longer maintained. The author suggests using the doctrine/instantiator package instead.

BR,
Peter

Things like "register_globals" have been completely removed from the php.ini in more recent versions (like PHP 5.4). Right now these will throw a "not found" error and stop evaluation.

Consider creating a website or other such interface to allow user submissions of rulesets for inclusion in the scanner, and then crowd-source their validity or correctness (via voting or other such mechanism).

This particular example is overkill, but it displays the problem:

$ touch php.ini.empty
$ bin/iniscan scan --path=php.ini.empty 
   ERROR:                    
   [0] Unknown section Session

This rule exists in two places:

1. https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/rules.json (twice)
2. https://github.com/psecio/iniscan/blob/master/src/Psecio/Iniscan/Rule/MaximumPostSize.php

== Executing INI Scan [09.02.2014 12:47:18] ==
...
FAIL   | WARNING  |             | post_max_size            | Unless necessary, a maximum post size of 16M is too large
...
PASS   | WARNING  |             | post_max_size            | A maximum post size should be defined to prevent server overload from large requests
FAIL   | WARNING  |             | post_max_size            | The max upload size should not be too high, to prevent server overload from large requests
...

The first and third warning are duplicates.

There may be custom settings you want to check in the php.ini, so there should be a way to add in these without having to update the rules.json configuration.

By default, iniscan assumes a production environment so it's reports are the strictest. Since this may not always be the desired environment, an "env" option should be added as well as functionality to relax some checks when the env is set to a non-"PROD" environment.

Quite a few settings are defined per pool when using PHP-FPM, so only scanning php.ini doesn't give the full picture.

There should be an option added to the "scan" command to only show things at or above the threshold that failed.

For example:
./bin/iniscan scan --path=/path/to/php.ini --threshold=ERROR

would show ERRORs and above (FATAL?)

It would be nice to have a verbose mode, with some text why the current value is bad and why the recommended setting is a good one. Also some further reading (Links to articles for this issue) would be nice.

In my php.ini

allow_url_fopen = Off
allow_url_include = Off

For this, iniscan gives:

FAIL   | ERROR    | allow_url_fopen          | Do not allow the opening of remote file resoources ('Off' recommended)
FAIL   | ERROR    | allow_url_include        | Do not allow the inclusion of remote file resources ('Off' recommended)

If I change php.ini like so:

allow_url_fopen = 'Off'
allow_url_include = 'Off'

iniscan gives an odd result:

PASS   | ERROR    | allow_url_fopen          | Do not allow the opening of remote file resoources ('Off' recommended)
PASS   | ERROR    | allow_url_include        | Do not allow the inclusion of remote file resources ('Off' recommended)

Btw, using 0 (zero) values gives the same result as the first one.

I'm using PHP 5.4(.21) and none of the following 5 directives that iniscan complains about exist in my php.ini:

WARNING: deprecated configuration items found:
-> register_globals
-> magic_quotes_gpc
-> magic_quotes_runtime
-> safe_mode
-> register_long_arrays

For additional security in a production environment, if Xdebug is installed it should be turned off.

xdebug.remote_enable=1

Probably not the worst idea to make people aware of the global require:

$ ./composer.phar global require "psecio/iniscan=dev-master"

Uses ~/.composer/composer.json, then invoke with:

$ ~/.composer/vendor/bin/iniscan

Right now the "get rules" only looks in one directory, but there will soon be nested check (a CVE directory), so the find needs to use something like a RecursiveDirectoryIterator to find things under Psecio/Iniscan/Rule.

I'm not overly familiar with the bundling system Symfony implements, so I thought I'd put out a suggestion to those more Symfony-minded to see if it made sense to move some of the current functionality into a reusable bundle. The commands all use the Symfony Console component already.

Not sure if it'd be work the work or not...I'd love some input on it.

Check for valid values of:

• session.entropy_file
• session.entropy_length
• session.use_strict_mode
• session.use_only_cookies
• session.cookie_lifetime
• session.use_trans_sid
• session.hash_function (set to 1)
• session.bug_compat_42 (set to 0)
• session.bug_compat_warn (set to 0)

http://www.php.net/manual/en/session.configuration.php

In PHP 5.4 the "register_long_arrays" directive has been removed (http://www.php.net/manual/en/ini.core.php#ini.register-long-arrays). It therefore does not exist in my php.ini file. But iniscan throws the following warning:

FAIL   | WARNING  | register_long_arrays     | Registering long arrays turns on the HTTP_*_VARS (Recommended Off)

As we have a "deprecated" array defined in the json, the tool should be able to look at the PHP version it's currently using and the one the setting was deprecated in to see if it should be removed.

For example, if you're using PHP 5.4 you no longer even need a "register_globals" or "magic_quotes_gpc" setting as they are deprecated to be removed.

This information should be included in the normal output, not via a thrown exception or anything.

TableHelper should be used instead of formatting table by hand.

http://symfony.com/doc/current/components/console/helpers/tablehelper.html

Hey,

i get the following warnings when using the scan command with a php.ini that has memcache session handlers configured:

$ vendor/bin/iniscan scan --path=php.ini
Warning: fileperms(): Unable to find the wrapper "tcp" - did you forget to enable it when you configured PHP? in /home/patryk/composer/vendor/psecio/iniscan/src/Psecio/Iniscan/Rule/CheckSessionPath.php on line 24
Warning: fileperms(): Unable to find the wrapper "tcp" - did you forget to enable it when you configured PHP? in /home/patryk/composer/vendor/psecio/iniscan/src/Psecio/Iniscan/Rule/CheckSessionPath.php on line 24
Warning: fileperms(): stat failed for tcp://127.0.0.1:11211 in /home/patryk/composer/vendor/psecio/iniscan/src/Psecio/Iniscan/Rule/CheckSessionPath.php on line 24

Cheers,
Patryk

Since the web and CLI configuration can be separate from the web config, an example of using it in a web-facing environment needs to be made.

Hi I have got expose_php = Off in my php.ini, but the tool shows:

FAIL   | WARNING  | expose_php : Showing the PHP signature exposes additional information

My PHP version: 5.4.21
Is this a bug?

CVE20121823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
http://www.exploit-db.com/exploits/29290/

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

Something fun to have would be a "paranoid" cli option that enforces even more strict checks. This could possibly be implemented with the context handling....

Examples:
https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet#some_more_security_paranoid_checks

PHP has a setting, which set by default on e.g. Debian/Ubuntu, to load additional configuration files.

Looking at the output of iniscan scan --help I don't see an easy way to mimic this behavior quickly.

Suggestion: let --path also accept a directory by automatically reading all *.ini files in there; that's how PHP itself works

Another observation / suggestion:
Since providing a file/dir (=path) is essentially the required thing to perform anything useful I would suggest to simply drop --path option and use Symfonys arguments which don't require that prefix, effectively turning

iniscan scan --path foo.ini into iniscan scan foo.ini

This would also allow it easier to specify multiple filers, e.g. iniscan scan /etc/php5/cli/conf.d/*.ini

Right now the output reports as formatted plain text in stdout. An "output" option should be added to the "scan" command to allow for export to:

XML
(others?)

to make for easier parsing by other tools.

The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.

Relevant to this released CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6501

ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.

validate that if open_basedir is in effect that the soap.wsdl_cache_dir is inside it

http://www.cvedetails.com/cve/CVE-2013-1635/

Wouldn't security.limit_extensions = .php .php3 .php4 .php5 also be useful? Perhaps a warning about cgi.fix_pathinfo?

It would be nice to have it. Also consider having "recommened value" column there.

Right now it's only checked if these values are set, but not if it's a reasonable amount. Imho is a memory_limit in a php.ini of 1GB or something like that, too much and dangerous, but that also strongly depends on the application.

I would suggest we check for values greater than the PHP default settings (i.e. 128M for memory_limit), and then show a warning, because someone should really think twice of increasing these.

What are your ideas on that?

There's some basic good practices on the OWASP site about php.ini configs - need to create the rules to find those:

https://www.owasp.org/index.php/Configuration#PHP_Configuration

How do you feel about adding a list of PHP versions and their vulnerbility states (cann be used to warn the user if his PHP version needs to be updated)? Would need to either store a resource file (would become outdated quickly) with this data or use an external source to pull a fresh list periodically.

The link http://box-project.org/installer.php is down 😧

Ensure that register_long_arrays is turned off (warning)

Running command:

$ bin/iniscan scan --path=/path/to/php.ini

End with warning:
PHP Warning: Missing argument 1 for Psecio\Iniscan\Scan::parseConfig(), called in /.../iniscan/src/Psecio/Iniscan/Scan.php on line 80 and defined in /.../iniscan/src/Psecio/Iniscan/Scan.php on line 66

Currently, if you open_basedir contains more then one path, for example:

open_basedir="/var/www:/php/tmp_cache"

consraints included in CheckSoapWsdlCacheDir and CheckUploadTmpDir are not passing at:

    if ($openBasedir === false) {
        $this->setDescription('The open_basedir did not resolve to a valid directory');
        $this->fail();
        return false;
    }

due to realpath usage, which returns false for coma separated paths:

    $openBasedir = realpath($openBasedir);

The idea is to split $openBasedir by PATH_SEPARATOR into an array of $openBasedirPaths and to check each one of them against included rules.

The question is, how should I treat it. If one of paths === false, then should entire test fails? Or maybe all of them should be equal false?

What do you think about it? I can prepare tommorow appropriate patch.

display_startup_errors should always be "Off" unless debugging or on context=dev

A phar package would be nice, so you could use it easier outside of a project as a stand-alone command line tool.

composer.lock file helps developers by "locking" external dependencies to certain version so that each developer will use the exact same versions.

Hi,

I just installed the latest verison of iniscan (ab4b5a7) and I noticed an issue scanning my INI file.

Here's the command I ran:

./vendor/bin/iniscan scan --path /etc/php5/fpm/php.ini

And this line in the output is the issue:

FAIL | WARNING | expose_php | Showing the PHP signature exposes additional information

I went to fix that, but saw that I already had expose_php turned off:

vagrant@precise64:~/tmp$ cat /etc/php5/fpm/php.ini |grep -i expose_php
;expose_php = On
expose_php = Off

I'm not clear if the leading semi-colon on the first line isn't being filtered out, or if something else is at play, but I wanted to let you know.

Thanks for your time,

-- Doug