THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
.italian
.english
Wisec Home SecSearch Projects Papers Security Thoughts
 
News Search on Wisec
Google

Passbroker for Php

Hide your embedded passwords in Php scripts

Download PassBroker

Introduction:

If you have ever asked yourself:
"How could I hide username and passwords in order to prevent unauthorized users from steal them?"
Then you are the right guy in the right place, and i suggest you to install PassBroker on your own website.

PassBroker is a PHP extension, written in c which dispatch informations you don't want to directly embed inside a PHP script. PassBroker will give the script only the secrets it needs according to a user defined ruleset.

- What is PassBroker (Pb)?:

Let's suppose you have acces to a DBMS. Usually a developer creates a file named something like config.php with some username and password embedded in it:
-----------config.php-------
$user='dbuser';
$passw='dbpassword'
----------------------------

Well, this file obviuosly should be readable by apache user in order to be parsed and executed.
Then by using some include function those variables will be accessible to the other scripts for db connection.
This is, as a matter of fact, an information leak intrinsic to every interpreted or pseudo compiled language.
The aim of Passbroker is to help to protect this kind of confidential data.

Let's try to use PassBroker.

PassBroker is quite easy to use:

create a file pbacl.xml in /etc/pb/
------------pbacl.xml---------------------
<?xml version="1.0"?>
<PassBroker>
  <Trust tid="db1" >
       <File XMLFilename="/etc/pb/acls/acl.xml"  XMLOwnerUId="root" XMLOwnerGId="root" />
  </Trust>
</PassBroker>
-----------------------------------------
$su
#chown root:root /etc/pb/pbacl.xml
#chmod 400 /etc/pb/pbacl.xml

Where /etc/pb/acls/acl.xml is the following file:
----------acl.xml------------------------------
<?xml version="1.0"  encoding="ISO-8859-1" ?>
<PassBrokerSecret>
   <Secret sid="acl1">
    <Info name="dbname"    value="DBNAME" />
    <Info name="dbserver"  value="localhost" />
    <Info name="tablename" value="ACLtable_name" />
    <Info name="username"  value="ACLuser" />
    <Info name="password"  value="p455w0úd!" />
   </Secret>
</PassBrokerSecret>
-----------------------------------------------
then by calling pb_get_info() function from config.php $secretdata=pb_get_info("db1","acl1"); $secret_data will be passed to the script as a Php array like the following:
Array
(
    [db1_acl1] => Array
        (
            [dbname] => DBNAME
            [dbserver] => localhost
            [tablename] => ACLtable_name
            [username] => ACLuser
            [password] => p455w0úd!
        )
)
which will be accessed like standard arrays:
For Example:
mysql_connect($secretdata['dbserver'],$secretdata['username'],$secretdata['password']);

Obviously if an attacker could write a php file to the server root directory, then he could access to every data in memory or variable.
In order to resolve this issue, two additional tag have been introduced. These tags let the webmaster to create a access control ACL for scripts and function call stack.
These tags are named <PHPolicy> and <FromCallerScript> and could be used in the following way:
    <PHPolicy>
      <FromCallerScript ScriptName="/home/stefano/public_html/hd/env.php" ScriptFunctionName="getws2" 
                                                ScriptOwnerUId="stefano" ScriptOwnerGId="stefano" >
      [<FromCallerScript ....> ]
      </FromCallerScript>
    </PHPolicy>
Where - 'ScriptName' is the absolute path of the calling Php script allowed to ask for that specified secret,
- 'FuncName' is the name of the function allowed to ask for that particular secret,
- 'ScriptOwnerUId' is the 'ScriptName' owner id or name
- 'ScriptOwnerGId' is the 'ScriptName' owner group id or group name

These tags could be inserted in a xml file in the following way:
------------pbacl.xml---------------------
<?xml version="1.0"?>
<PassBroker>
  <Trust tid="db1" >
       <File XMLFilename="/etc/pb/acls/acl.xml"  XMLOwnerUId="root" XMLOwnerGId="root" >
        <PHPolicy>
          <FromCallerScript ScriptName="/home/stefano/public_html/hd/env.php" ScriptFunctionName="getws" 
                                                ScriptOwnerUId="stefano" ScriptOwnerGId="stefano" >
          <FromCallerScript ScriptName="/home/stefano/public_html/hd/inc.php" ScriptFunctionName="pb_get_info" 
                                                ScriptOwnerUId="stefano" ScriptOwnerGId="stefano" />
           </FromCallerScript>
	  </PHPolicy>         
       </File>
  </Trust>
</PassBroker>
-----------------------------------------------

or, by adding them to "/etc/pb/acls/acl.xml"
----------acl.xml------------------------------
<?xml version="1.0"  encoding="ISO-8859-1" ?>
<PassBrokerSecret>
   <Secret sid="acl1">
     <Info name="dbname"    value="DBNAME" />
     <Info name="dbserver"  value="localhost" />
     <Info name="tablename" value="ACLtable_name" />
     <Info name="username"  value="ACLuser" />
     <Info name="password"  value="p455w0úd!" />
     <PHPolicy>
     	<FromCallerScript ScriptName="/home/stefano/public_html/hd/env.php" ScriptFunctionName="getws" 
     			    ScriptOwnerUId="stefano" ScriptOwnerGId="stefano" >
     		<FromCallerScript ScriptName="/home/stefano/public_html/hd/inc.php" ScriptFunctionName="pb_get_info" 
     				ScriptOwnerUId="stefano" ScriptOwnerGId="stefano" />
     	   </FromCallerScript>
     </PHPolicy>
   </Secret>
</PassBrokerSecret>
-----------------------------------------------
The difference is that if we add them to pbacl.xml every secret in "/etc/pb/acls/acl.xml" will be checked, otherwise if we add them to "/etc/pb/acls/acl.xml" we could generate one ACL for every secret.
For more informations about ACLs read the section "Php.ini configuration parameters".

- How Pb works:

PassBroker was conceived as a PHP extension used by Apache server. Infact Apache starts as root user, loads every extension as described in configuration files, opens port 80 and drops root privileges.
This means that every configuration file could be set with root read-only permission.

-r-------- 1 root root 867 nov 1 14:30 pbacl.xml
Consequently, I was able to develop a Php Extension which reads a secret file with confidential data and then dispatch them on demand according to some kind of rules.

- Php.ini configuration parameters.

pb.dtddir  
           Default Value: "/etc/pb/dtds"        PHP_INI_SYSTEM
	   There are two DTD files used for xml grammar definitions for named PassBroker and
	   PassBokerSecret. These DTDs have a predefined name:
	   'PassBroker.dtd' e 'PassBrokerSecret.dtd'.
	   
	   These files must be on the same directory.
	   As 'pb.dtddir' is defined as PHP_INI_SYSTEM, it couldn't be redefined at runtime.
pb.aclfile 
           Default Value: "/etc/pb/pbacl.xml"   PHP_INI_SYSTEM
	   It is the xml file containing your ACLs.
pb.debug
           Default Value: "None"                PHP_INI_PERDIR
	   Other allowed values: "GenerateACL", "LearnACL"
	   None:
	   	       disables every debug activity.
	   GenerateACL:
	   	       outputs ACLs <> every time pb_get_info() is called in order to
		       cut and paste ACLs on your configuration file.
	   LearnACL:
 			TBD. It is a facility which stores in append to 
			/tmp/trust.xml all the output generated by GenerateACL.
			
						

- Suggestions:

If you want to get the right access permissions and test the configuration you just created, you can launch as root 'test_conf' and follow the instructions:
$su
#./test_conf

Or by hand:
$su
#mkdir /etc/pb/
#chown root:root /etc/pb/
#chmod 400 /etc/pb/ -R

- When PassBroker is useless:

PassBroker assumes you have set the right permissions on your directories and files. If those permissions are wrong PassBroker will be useless proportionally to the hackability of your website.
With the following hypothesis:
- Http Web Server (apache) runs as user 'apache' group 'apache'
then sceneries where PassBroker usefulness will proportionally decrement are:
1.  Your scripts have apache user write permissions and someone else has access to the directory
   and to the scripts as the apache user. This is the worst case as an attacker could 
   modify your scripts by adding something like this:
   
   echo "$user $password";

2. Some root subdirectory on your site is writable by the apache user.
   In this case you should control you wrote your PHP scripts in a safe way or your PHPolicies
   for your secrets, or it could be as you are not using PassBroker.

3. Remote/local file include vulnerability. 

4. fopen vulnerability. 

Files and their meanings:

pb_functions.c
ACL manipulation and control functions.

xmlparser.c
parses acls xml file and stores them in memory.

system_info.c
privileges control routines.

- Final Note - License:

This program is released under GPL 2.0 (http://www.gnu.org/copyleft/gpl.html).

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.