Too Secure??? [SOLVED]

So I host a few joomla sites on my linode and know there are some potential vulnerabilities in doing so. I took some time and read many articles on how to secure apache and the rest of my install to protect against many of the common hacks.

My problem now is that I think I made it "too secure", I am unable to upload files from a browser. I tried to remove mod security and had the same issue, I checked some things in php.ini and from what I can tell thats not blocking it. What else could be blocking the files from making it to the server?

One of the scripts allows for an image to be uploaded and resize it. When I look at the error log the first item is that it can not find the image where it should have been placed. This is whats making me think that some setting somewhere is still messing with me.

Its Centos if that helps.

Thanks guys.

21 Replies

Does the web server have write permissions to the directory where your uploaded files are supposed to go? The directory should be owned by the same user as the web server, or else it should be writable by everyone (permission 777).

@hybinet:

Does the web server have write permissions to the directory where your uploaded files are supposed to go? The directory should be owned by the same user as the web server, or else it should be writable by everyone (permission 777).

yes

Do you have SELinux enabled? This is a common problem with CentOS and SELinux when changing where the web server document root is. Google around.

@sweh:

Do you have SELinux enabled? This is a common problem with CentOS and SELinux when changing where the web server document root is. Google around.
I have checked that, It is not enabled.

@eld101:

@hybinet:

Does the web server have write permissions to the directory where your uploaded files are supposed to go? The directory should be owned by the same user as the web server, or else it should be writable by everyone (permission 777).

yes

which of the statements are true?

Do you mind posting your php.ini? here preferably

@freedomischaos:

@eld101:

@hybinet:

Does the web server have write permissions to the directory where your uploaded files are supposed to go? The directory should be owned by the same user as the web server, or else it should be writable by everyone (permission 777).

yes

which of the statements are true?

Do you mind posting your php.ini? here preferably

files and folders are owned by user apache:bbt and are 775

php.ini –> http://pastebin.linode.com/1524

> One of the scripts allows for an image to be uploaded and resize it. When I look at the error log the first item is that it can not find the image where it should have been placed.

Which log ? It would be worth posting the relevant, sanitized lines, as well as whatever is posted back to your browser, if anything.

Is this a Joomla script, or one you've written and included in the site ? If Joomla, have you checked the config for the module, and for whichever graphics module/toolkit you're using for the resize ?

Does it fail for all (Joomla) users and file sizes ?

This is not a joomla script, I will try and get the log file posted shortly.

> This is not a joomla script

May be worth posting that also.

@eld101:

This is not a joomla script, I will try and get the log file posted shortly.

sorry it took so long…. any ideas?

[Wed Dec 10 18:10:23 2008] [error] [client 65.24.37.56] PHP Warning:  imagecreatefromjpeg() [[function.imagecreatefromjpeg](function.imagecreatefromjpeg)]: open_basedir restriction in effect. File(/tmp/phpGC7YF1) is not within the allowed path(s): (/var/www/html/) in /var/www/html/bitchesbetrippin.com/uploader2/submit.php on line 26, referer: http://www.bitchesbetrippin.com/uploader2/submit.php
[Wed Dec 10 18:10:23 2008] [error] [client 65.24.37.56] PHP Warning:  imagecreatefromjpeg(/tmp/phpGC7YF1) [[function.imagecreatefromjpeg](function.imagecreatefromjpeg)]: failed to open stream: Operation not permitted in /var/www/html/bitchesbetrippin.com/uploader2/submit.php on line 26, referer: http://www.bitchesbetrippin.com/uploader2/submit.php
[Wed Dec 10 18:10:23 2008] [error] [client 65.24.37.56] PHP Warning:  imagejpeg(): supplied argument is not a valid Image resource in /var/www/html/bitchesbetrippin.com/uploader2/submit.php on line 45, referer: http://www.bitchesbetrippin.com/uploader2/submit.php
[Wed Dec 10 18:10:23 2008] [error] [client 65.24.37.56] PHP Warning:  chmod() [[function.chmod](function.chmod)]: No such file or directory in /var/www/html/bitchesbetrippin.com/uploader2/submit.php on line 46, referer: http://www.bitchesbetrippin.com/uploader2/submit.php
[Wed Dec 10 18:10:23 2008] [error] [client 65.24.37.56] PHP Warning:  getimagesize(image_files/eric.jpg) [[function.getimagesize](function.getimagesize)]: failed to open stream: No such file or directory in /var/www/html/bitchesbetrippin.com/uploader2/submit.php on line 51, referer: http://www.bitchesbetrippin.com/uploader2/submit.php
[Wed Dec 10 18:10:23 2008] [error] [client 65.24.37.56] PHP Warning:  imagedestroy(): supplied argument is not a valid Image resource in /var/www/html/bitchesbetrippin.com/uploader2/submit.php on line 75, referer: http://www.bitchesbetrippin.com/uploader2/submit.php
[Wed Dec 10 18:10:23 2008] [error] [client 65.24.37.56] File does not exist: /var/www/html/bitchesbetrippin.com/uploader2/image_files/eric.jpg, referer: http://www.bitchesbetrippin.com/uploader2/submit.php?upload_message=Image%20Uploaded&upload_message_type=success&show_image=eric.jpg

This might be your problem:

[Wed Dec 10 18:10:23 2008] [error] [client 65.24.37.56] PHP Warning:  imagecreatefromjpeg() [[function.imagecreatefromjpeg](function.imagecreatefromjpeg)]: open_basedir restriction in effect. File(/tmp/phpGC7YF1) is not within the allowed path(s): (/var/www/html/) in /var/www/html/bitchesbetrippin.com/uploader2/submit.php on line 26, referer: http://www.bitchesbetrippin.com/uploader2/submit.php

…where you have set in php.ini:

> http://pastebin.linode.com/1524:

; open_basedir, if set, limits all file operations to the defined directory

; and below. This directive makes most sense if used in a per-directory

; or per-virtualhost web server configuration file. This directive is

; NOT affected by whether Safe Mode is turned On or Off.

open_basedir = /var/www/html/

@mjrich:

This might be your problem:

[Wed Dec 10 18:10:23 2008] [error] [client 65.24.37.56] PHP Warning:  imagecreatefromjpeg() [[function.imagecreatefromjpeg](function.imagecreatefromjpeg)]: open_basedir restriction in effect. File(/tmp/phpGC7YF1) is not within the allowed path(s): (/var/www/html/) in /var/www/html/bitchesbetrippin.com/uploader2/submit.php on line 26, referer: http://www.bitchesbetrippin.com/uploader2/submit.php

…where you have set in php.ini:

> http://pastebin.linode.com/1524:

; open_basedir, if set, limits all file operations to the defined directory

; and below. This directive makes most sense if used in a per-directory

; or per-virtualhost web server configuration file. This directive is

; NOT affected by whether Safe Mode is turned On or Off.

open_basedir = /var/www/html/

what would the issue be with this?

Surely you jest ? Oi ?

(Non ? openbasedir is doing exactly as per the comments in php.ini. Either you'lll need to change your script so that it operates within the the aforementioned path, /var/www/html, or change the openbasedir path to fit your script.)

@mjrich:

Surely you jest ? Oi ?

(Non ? openbasedir is doing exactly as per the comments in php.ini. Either you'lll need to change your script so that it operates within the the aforementioned path, /var/www/html, or change the openbasedir path to fit your script.)

Thanks dood!

You are the MAN!

i would recommend open_basedir = /tmp probably, i can't think why would want your scripts modifying files in /var/www

@cz9qvh:

i would recommend open_basedir = /tmp probably, i can't think why would want your scripts modifying files in /var/www

The OP said he was using a file upload script. In that case, the path where the uploaded files are saved must be writable by the script. And no sane script permanently saves files to /tmp.

I ran into exactly the same problem just a few days ago, due to a stupid mistake. I was making a very restrictive list of open_basedir directives and forgot to include /tmp. I only found out about the mistake when a user emailed me that uploads were not working.

PHP stores user-uploaded files in /tmp for a brief period, usually until the script which handles the upload exits or else the file is moved to a permanent location, whichever happens first. You can change this behavior by editing the "uploadtmpdir" directive in your php.ini. Most of the time it's okay to use /tmp to store non-confidential information such as uploaded images. But if the information you're storing in /tmp is confidential and other people also have access to /tmp, you might want to think more carefully.

Another situation where it might be a good idea to change "uploadtmpdir" is if you accept large uploads (~100M) and /tmp is in a different partition from the location of permanent storage (usually under the web root). In that case, you can avoid unnecessary inter-partition file moves (more copying = more I/O) by forcing PHP to store temporary uploaded files in the same partition as the location of permanent storage.

Ive got it working…thanks guys

@hybinet:

@cz9qvh:

i would recommend open_basedir = /tmp probably, i can't think why would want your scripts modifying files in /var/www

The OP said he was using a file upload script. In that case, the path where the uploaded files are saved must be writable by the script. And no sane script permanently saves files to /tmp.

I ran into exactly the same problem just a few days ago, due to a stupid mistake. I was making a very restrictive list of open_basedir directives and forgot to include /tmp. I only found out about the mistake when a user emailed me that uploads were not working.

PHP stores user-uploaded files in /tmp for a brief period, usually until the script which handles the upload exits or else the file is moved to a permanent location, whichever happens first. You can change this behavior by editing the "uploadtmpdir" directive in your php.ini. Most of the time it's okay to use /tmp to store non-confidential information such as uploaded images. But if the information you're storing in /tmp is confidential and other people also have access to /tmp, you might want to think more carefully.

Another situation where it might be a good idea to change "uploadtmpdir" is if you accept large uploads (~100M) and /tmp is in a different partition from the location of permanent storage (usually under the web root). In that case, you can avoid unnecessary inter-partition file moves (more copying = more I/O) by forcing PHP to store temporary uploaded files in the same partition as the location of permanent storage. Oh, i suppose i assumed whatever he was uploading was going into a mysql database, instead of onto the filesystem. it didn't occur to me that open_basedir could be used to specify more than one location.

@sweh:

Do you have SELinux enabled? This is a common problem with CentOS and SELinux when changing where the web server document root is. Google around.

I was under the impression that no Linode has SELinux enabled because by default all the linode kernels do not have it turned on.

I guess you just hate SELinux alot.

@notserpe:

@sweh:

Do you have SELinux enabled? This is a common problem with CentOS and SELinux when changing where the web server document root is. Google around.

I was under the impression that no Linode has SELinux enabled because by default all the linode kernels do not have it turned on.

I guess you just hate SELinux alot.

Pointing out a problem people have with a technology is hating it? Huh…

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct