Lack of updates courtesy of PHP security issues
Posted: June 15, 2009 at 8:59 pm | Tags: apache, gallery, linux, PHP, script, security, updates, webserver, workSo I have all kinds of stuff that needs to get posted on here, including pictures of the half torn-down Tiger Stadium as well as the Packard Pant and whatnot. However, it’s been screwy getting in to make any updates before recently.
Here’s the story.
I’ve been working on a small freelance project where the most time consuming bit was going to be the photo gallery. So I wrote something up to show the pictures, browse directories, make image previews, etc. Instead of being ghetto-fab and just using CSS to set the width of the images, I found a nice thumbnailer script that uses PHP’s GD library and even had an image cache so that it wouldn’t be ridiculously slow every time it was run. It’s called Smart Image Resizer from Shifting Pixel. I was excited and decided to test it.
Well, the script was set up to search all directories in the folder “galleries” and take the first image from each folder and use that one as the preview image. Simple enough, right?
Well, not when it encounters an empty directory.
It tried passing something like “array index[2]: Invalid” to the PHP script as an argument for the image. This, unbeknownst to me, caused my web server’s security to freak out and give errors like the following:
2009-06-10 21:33:23 XX.XX.XX.XX /thumbnail.php?/.?width=350&height=350&cropratio=1:1ℑ=/gallery/test1/. HTTP/1.1 domain.com Access denied with code 403 (phase 2). Match of “rx (\\.(?:gif|jpg|png|bmp|jpeg)|^http://$|^[0-9]+$)” against “ARGS:image” required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "825"] [id "340161"] [rev "14"] [msg "PHP Injection protection for Image ARGS (S)"] [severity "CRITICAL"] 403
Except like I said, I had no idea that this has happened. So from where I sit, I’m just trying to FTP some files and go about my day. Then it locks me out. No big deal right? Server’s getting rebooted or something, I’ll just try again later.
Still can’t get in. I check the server from my phone, it’s fine. Eventually, I get back in, go back to testing, and get locked out again. I proceed to go down to my girlfriend’s house, assuming that it’s blocking my IP address for whatever reason, and it locks me out there.
So I’m pretty bothered and confused at this point. Keeping mind that this has happened over the course of a few days. Eventually, I get in touch with my hosting people and figure it all out. But that still won’t stop the server from kicking me off if it doesn’t like the image value to pass.
So I patch my gallery to only pass something to the script if there is a file there, and all is well again.
On top of that, I worked till almost 730 today, put in almost a full day on Sunday, had to rebuild my home network setup and have had random day to day stuff to deal with.
Updates are coming soon. Till then, there CAN be a thing as too much security .
