How you should never configure your logging in PHP

Wednesday, December 7. 2005

Today I had the pleasure to look at code examples from a recently released book. I guess readers of my blog know exactly what book I am referring to.

I will only cover the first 2 code examples that explain how to configure and use PHP's logging capabilities for now, because they are funny enough for now and reveal some nice insights.

<?php

ini_set('error_reporting', E_ALL | E_STRICT);
ini_set('display_errors', 'Off');
ini_set('log_errors', 'On');
ini_set('error_log', '/usr/local/apache/logs/error_log');

?>

This example seems to explain how a script should configure it's logging in a secure way. I cannot say what the book says about this example, because I don't feel like wasting my money on it. Maybe the guys who say they have reviewed it can comment on it.

However when you look at the example above and have a clue about file permissions you should start to laugh, because it should not work. Then you try it and wonder that it actually works. The thing is, that the author obviously wants to log errors into the apache error log. Therefore he tells PHP to log into the error_log file. Of course PHP will fail to open the file, because the logfile in question is only writeable by the root user on a sane configured webserver. However the example works, because PHP will fall back to using the SAPI error handler for logging purposes. And this of course uses the Apache logging subsystem to log to the file in question. So the example is simply wrong, and only works because of a fallback situation.

The next example is even more funny:

<?php set_error_handler('my_error_handler'); function my_error_handler($number, $string, $file, $line, $context) { $error = "=========\nPHP ERROR\n=========\n"; $error .= "Number: [$number]\n"; $error .= "String: [$string]\n"; $error .= "File: [$file]\n"; $error .= "Line: [$line]\n"; $error .= "Context:\n" . print_r($context, TRUE) . "\n\n"; error_log($error, 3, '/usr/local/apache/logs/error_log'); }?>

This example however uses a different way to log to the error_log of Apache, which does not have any fallback handler. This actually means, that this code can only work if it is executed as the root user or if the apache error_log file is writeable by the apache user, which should never be allowed. I wonder how Apache and PHP is configured on the servers of the author and the persons who have reviewed the book.

PS: And I really wonder how fast after the author reads this we are again kicked out of their library...

Posted by Stefan Esser in Security, PHP at 11:04

Comments (18)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Richard wrote (Link) ()

> PS: And I really wonder how fast after the author reads this we are
> again kicked out of their library...

"Library" ?

posted on Wednesday, December 7. 2005

#1.1 David Grant wrote (Link) ()

I presume the library in question is here: http://phpsec.org/library/

posted on Wednesday, December 7. 2005

#2 Richard Thomas wrote (Link) ()

He might have apache chrooted which would put the permissions and logs of the apache within that persons chroot so it is slightly possible this might work.

The simple fact of the matter though, a lot of hosts give there customers access to the log files both so they can run there own tracking programs on the logs and also so they can self manage them if they get to large and are taking up to much of there quota space.

So its possible it would work, but would it work in most default enviroments, no.

posted on Wednesday, December 7. 2005

#2.1 Stefan Esser ()

Just because it may work on some hosters configuration does not change the fact that it is still a bad idea (from a security point of view) to leave logfiles writeable for the user executing PHP scripts. Anyone that breaks in through a hole in a PHP script will surely love that he is allowed to erase all traces of his actions from the log file.

posted on Wednesday, December 7. 2005

#3 enygma wrote (Link) ()

Said author might be more receptive to things like this if you presented it in a less hostile manner.

Phrases like "wasting my money on it", "funny enough for now", and the comment about the library almost make one not want to bother with the rest of this post. It's one thing to point out security issues with a script. It's a complete other thing to allow your personal grudgles to seep into it, making it a more than slightly uncomfortable read for those "in the know" and completely confusing those that aren't.

posted on Wednesday, December 7. 2005

#3.1 Stefan Esser ()

If you do not like my postings then you are free to not read them.

If you do not think it is amusing that a book about PHP Security, that claims to be from the #1, gives such basic examples that don't work or only when the webserver is configured in an insecure way, then you should not read my blog.

And do you wanna bet how fast we get removed from the library (again)?

posted on Wednesday, December 7. 2005

#3.1.1 Shawn ()

I think enygma tried to say that some people read this because you have valuable things to say php security-wise that may not get written elsewhere.

That said, I don't care if you develop into the rude pundit of php. Write what you like, I'll read it as long as you have a valid reason for writing it. If and when it seems pointless to me, I'll stop reading. When you and a certain author had a comment slap-fest a few months ago, I stopped reading the comments because they seemed childish and completely useless. Nobody forced me to sit at the page and hit refresh until the conversation stopped.

posted on Wednesday, December 7. 2005

#3.2 2djr ()

So what enygma - you read this blog religiously just so you can stick up for you buddy Chris?

The post is legitimate. Number one, Chris Shiflett should at least test his example code before publishing it. That's pretty standard. And Stefan is right - it does betray a very shallow understanding.
Number two, Chris Shiflett has been plenty nasty in the past rallying up his PHP lecture circle buddies in order to keep up the illusion he's some top PHP security expert while in fact he has about as much understanding of PHP security issues as anyone who's developed using PHP for more than a couple of years.

When it comes down to it who would you rather trust or use auditing services from - SE who has developed Hardened-PHP or Shiflett who's written an O'Reilly light-weight book.

posted on Thursday, December 8. 2005

#4 Richard@Home wrote (Link) ()

It could be that their examples were tested on a Windows Box. Still, that's no excuse for not testing it on a *nix box too...

posted on Wednesday, December 7. 2005

#5 Chris Shiflett wrote (Link) ()

Hi Stefan,

The path to the error log is arbitrary. The examples have been changed to /path/to/error_log to make this clearer (with or without context).

If you happen to find errata, please report it rather than blog about it. You should know better. These examples work for me, because I'm testing within the Apache-Test framework.

posted on Wednesday, December 7. 2005

#5.1 elias wrote (Link) ()

sure it's not fine in image and business point of view if someone exposes mistakes in the public. but this is security point of view which should always be exposed to the public, because the public have to be aware about it.
generally everyone should clearly expose his own mistakes to the public who writes about security (and make mistakes too

). for book writers i'll suggest that they mention all security related rewrites for an reissue in an appendix, so that readers see which mistakes they have overtaken from the old issue.

i don't know if someone (or you chris) do so, if yes, forget about my comment.

posted on Thursday, December 8. 2005

#5.2 Jim Janovich ()

LOL.....pretty soon the number of pages for errata will be as long as the book itself. So, should we consider the errata the 2nd Edition?

posted on Thursday, December 8. 2005

#6 Jakub Vrána wrote (Link) ()

Script "Edit Session Data (inject.php)" in Chapter 8 doesn't check POST data and let anyone overwrite your files.

If you don't overwrite $_FILES yourself, it's not necessary to check is_uploaded_file($_FILES['attachment']['tmp_name']) as in examples from Chapter 2. Filenames in this array couldn't be injected.

posted on Thursday, December 8. 2005

#7 Jay M. Keith wrote (Link) ()

I believe the code snippet in the blog post was taken out of context. In the provided code on the book's website, it has an example path. I think you're assuming that it *has* to be to the server's apache log, which isn't the case. I think the point of this code snippet was to isolate your php errors, versus attempt to over-write the apache error_log.
On some of the servers that I maintain, we have numerous java apps, as well as php apps running. It's *very* handy to have the php errors piped to a different log, rather than thrown in the mix with all the other errors. I don't consider it a security issue, more of an issue of handiness. Had the code above been verbatim copied, it would've made more sense to your blog readers, instead, I saw the error more in your interpretation of Chris's approach.

Ha

posted on Thursday, December 8. 2005

#7.1 Stefan Esser ()

Mr. Keith an example in a security book for beginners should work and not only work when an unsafe server configuration is used.

You obviously did not understand the whole point of this blog posting. It has nothing todo with overwriting log files. It had todo with the fact, that the example path given is the default apache logfile path and that the examples therefore can only work in a very unsafe server configuration (apache running as root or the apache logfile writable for anyone else than root).

BTW: If you have servers where the 2nd example works I suggest that you get yourself a new admin.

posted on Thursday, December 8. 2005

#7.1.1 Jay M. Keith ()

I must've looked at the site after the fix had been placed. When I viewed it I didn't see any reference to the apache dir, so I didn't see anything wrong with the example path that was given. It appears that your comments were put in place, which caused my confusion.

posted on Thursday, December 8. 2005

#7.1.1.1 Stefan Esser ()

Ahh I see. The code examples on the book's website were changed. Now they are only wrong in the book...

posted on Thursday, December 8. 2005

#8 Stefan Esser ()

Reminder to myself... Get a new skin for the blog, that survives deep comments.

posted on Thursday, December 8. 2005

Add Comment

Name:

Email:

Homepage:

In reply to:

Comment:

Standard emoticons like :-) and ;-) are converted to images.

Remember Information?
Subscribe to this entry

Calendar