Web hosts beware

Web hosting vendors need to shore up their systems following the discovery of a hack that creates a means for miscreants to abuse PHP functions that have been disabled for security reasons.

Shared hosting providers often rely heavily on PHP function blacklists to stop their clients from interfering with the adjacent systems of other users.

A Russian language-speaking security researcher nicknamed Twoster uncovered a mechanism to bypass these controls using an imap_open exploit.

Security researcher Anton Lopanitsyn (AKA i_Bo0oM) publicised this work through a post on GitHub. The exploit works on Debian and Ubuntu versions of Linux.

Rather than re-enabling a dangerous function, the hack creates a means to abuse functions that were previously thought to be safe in order to run arbitrary code execution-style attacks.

Web hosts need to blacklist the problematic function.

The PHP language is widely (but not universally) used for creating websites. OWASP has published recommendations on PHP functions that ought to be disabled as dangerous unless they are explicitly needed.

These recommendations are reflected in published advice related to PHP usage from various hosting providers.

Despite this advice, and general agreement among experts about best practice on PHP usage, mistakes and oversights still happen.

For example, French web hacker Nicolas Grégoire reports that he recently discovered an (unnamed) large hosting provider which forgot to include proc_open() in the list of disabled PHP functions.

The security oversight meant that anyone already able to execute some PHP code – for example, an unrestricted file upload – could easily get a shell on vulnerable systems.