Koozali.org: home of the SME Server

PHP execution broken when trying to config for file upload.

Offline arne

  • *****
  • 1,116
  • +0/-4
PHP execution broken when trying to config for file upload.
« on: November 22, 2006, 12:06:57 AM »
I have installed phproject to one of my sme boxes. (SME 7.0 server only)

It were originaly not able to upload files wia web due to security restrictions in the PHP setup (I belive.)

This is, I think, an old and very well known problem from at least SME 5.2 and SME 6.0.1, and also before that, I believe.

During the years I have used a fix from this problem using an old and rather historical e-smith faq:

<qoute>

PHP applications running in i-bays can only access files within the same i-bay. Is there a way that the administrator can relax this restriction?
Yes. The administrator can change the PHP Base Directory by executing the following commands (as root):


/sbin/e-smith/db accounts setprop your_i-bay_name PHPBaseDir /
/sbin/e-smith/signal-event ibay-modify your_i-bay_name

Note that the PHPBaseDir argument can be more restrictive than the example shown above. For example PHPBaseDir can also be '/home/e-smith/files/'.

<unquote>

Well, I now tried this procedure on the SME 7.0 as well with a bit less success.

First the web server crashed completely. I then made a new basic configuration og the server (logging in via ssh as admin).

The web server came back but it is now anly capable of handeling .html pages. None php pages works.

Any ideas how to come back to the original setup or to fix the php upload problem ?

Any suggestions will be apreciated  

Best reg Arne
......

Offline judgej

  • *
  • 375
  • +0/-0
Re: PHP execution broken when trying to config for file uplo
« Reply #1 on: November 22, 2006, 12:47:38 AM »
phprojekt - yet another project that has never heard of move_uploaded_file(), and prefers for admins to losen up the security on their servers.

http://us2.php.net/manual/en/function.move-uploaded-file.php

You may wish to raise it as a bug.

-- JJ
-- Jason

Offline arne

  • *****
  • 1,116
  • +0/-4
PHP execution broken when trying to config for file upload.
« Reply #2 on: November 22, 2006, 12:52:22 AM »
Correction:

The php fuction appears to work for the virtual domains but not for the Primary domain or subfolders. I dont know if the upload function works.

I have looked trough the custom templates and can not find any changes.

The commands I used were like this:

/sbin/e-smith/db accounts setprop Primary PHPBaseDir /
/sbin/e-smith/signal-event ibay-modify Primary

For the old SME 6.x this worked in the way that all restrictions for uploading files via php disapeared. For the SME 7.0 it looks like the effect is a bit different.

One thing I am wondering about is: If I made a backup and a restore will the backup restore still contain the modification ?? (I believe in the SME 6.x  it did, even though there were no entries in the custom templates. Could be I have an incorrect memory about this.)
......

Offline arne

  • *****
  • 1,116
  • +0/-4
PHP execution broken when trying to config for file upload.
« Reply #3 on: November 22, 2006, 12:56:21 AM »
->judgej

Thanks for your info. I did not see it when I was writing/testing my server.

I guess that the function you refer to does not use the /tmp folder like that the phproject does ?

Arne
......

Offline judgej

  • *
  • 375
  • +0/-0
PHP execution broken when trying to config for file upload.
« Reply #4 on: November 22, 2006, 01:07:23 AM »
Quote from: "arne"
->judgej

Thanks for your info. I did not see it when I was writing/testing my server.

I guess that the function you refer to does not use the /tmp folder like that the phproject does ?

Arne


It does use the /tmp folder, but it does so in a way that bypasses the directory restrictions. It also has extra safeguards in it ensuring it cannot be hijacked to copy other files, such as /etc/passwd to a web-accessible location, something that phprojekt has been renouned for in the past.

-- JJ
-- Jason

Offline arne

  • *****
  • 1,116
  • +0/-4
PHP execution broken when trying to config for file upload.
« Reply #5 on: November 22, 2006, 01:39:50 AM »
Hmm .. The old upload method does not work any more, I think.

On the other hand I saved all my files and php applications under Primary by just copying them all over to a new i-bay.

phproject is an extremely good application, so I will try to solve the problem with the upload function in one way or the other.

Just don't know how yet .. ( .. modifying the phproject code might be an alternative ..)

Arne
......

Offline arne

  • *****
  • 1,116
  • +0/-4
PHP execution broken when trying to config for file upload.
« Reply #6 on: November 22, 2006, 02:20:48 AM »
Found this one ..

http://forums.contribs.org/index.php?topic=34615.0

Have not solved the problem.
......

Offline william_syd

  • *****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
PHP execution broken when trying to config for file upload.
« Reply #7 on: November 22, 2006, 03:32:55 AM »
Quote from: "arne"
Correction:

The php fuction appears to work for the virtual domains but not for the Primary domain or subfolders. I dont know if the upload function works.

I have looked trough the custom templates and can not find any changes.

The commands I used were like this:

/sbin/e-smith/db accounts setprop Primary PHPBaseDir /
/sbin/e-smith/signal-event ibay-modify Primary

For the old SME 6.x this worked in the way that all restrictions for uploading files via php disapeared. For the SME 7.0 it looks like the effect is a bit different.

One thing I am wondering about is: If I made a backup and a restore will the backup restore still contain the modification ?? (I believe in the SME 6.x  it did, even though there were no entries in the custom templates. Could be I have an incorrect memory about this.)


To go back to original..
Code: [Select]
/sbin/e-smith/db accounts delprop Primary PHPBaseDir
/sbin/e-smith/signal-event ibay-modify Primary


What may get you going..
Code: [Select]
/sbin/e-smith/db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary/: /tmp
/sbin/e-smith/signal-event ibay-modify Primary
Regards,
William

IF I give advise.. It's only if it was me....

Offline arne

  • *****
  • 1,116
  • +0/-4
PHP execution broken when trying to config for file upload.
« Reply #8 on: November 22, 2006, 10:15:53 PM »
I'm impressed ! It worked. The web is full of the old solution here and there, but the only place I have seen the new solution is here in this tread.

One stange thing was that I also had to change the security setting of the phproject upload folder. I now use 775. I had it more restrictive under sme 6.0.1

Until now I have just testet the upload in subfolders of the Primary ibay.

Thanks a lot  :D

Arne
......

Offline arne

  • *****
  • 1,116
  • +0/-4
PHP execution broken when trying to config for file upload.
« Reply #9 on: November 22, 2006, 11:03:06 PM »
A small correction again ..

It is the upload to other i-bays than Primary that works. Upload to subfolders of Primary seems not to work. (I think that is not a problem at all.) (And the other i-bays than Primary is accessed as virtually domains.)

To mention it again, I had to set the permisions of the opload folder a little bit different from the sme 6.0.1. This time I use 775

Arne
......

Offline arne

  • *****
  • 1,116
  • +0/-4
PHP execution broken when trying to config for file upload.
« Reply #10 on: November 22, 2006, 11:20:25 PM »
Upload function tested with Windows XP / Explorer And Linux / Konqueror / Opera http ans https. Everything worked just fine.

Great !  :D  :D  :D

Thanks again !

Arne
......

Offline william_syd

  • *****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info
PHP execution broken when trying to config for file upload.
« Reply #11 on: November 23, 2006, 01:08:38 AM »
I thought I would have a play...

Download and extract all the files to /opt/phpproject
Code: [Select]
chown www:www -R /opt/phpproject

Make a file.. 86phpproject
Contents...
Code: [Select]

# phpproject
Alias /phpproject /opt/phpproject
<Directory /opt/phpproject>
    SSLRequireSSL on
    Options -Indexes
    AllowOverride None
    order deny,allow
    deny from all
    allow from all
    Satisfy all
    AddType application/x-httpd-php .php .php3
    php_flag  magic_quotes_gpc  on
    php_flag  track_vars        on
</Directory>




and copy it to /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
Code: [Select]
expand-template /etc/httpd/conf/httpd.conf
svc -t /service/httpd-e-smith


Make a empty mysql db and user

Goto
https://server/phpproject

File uploads appear to work.

https://secure.magicwilly.info/phpproject
arne/arne

And open_basedir is not set...
https://secure.magicwilly.info/phpproject/index2.php
Regards,
William

IF I give advise.. It's only if it was me....