search

sclorg / s2i-php-container

PHP container images based on Red Hat Software Collections and intended for OpenShift and general usage, that provide a platform for building and running PHP applications. Users can choose between Red Hat Enterprise Linux, Fedora, and CentOS based images.
http://softwarecollections.org
Apache License 2.0
107 stars 331 forks source link

PHP version leakage #408

Closed paulbadcock closed 1 year ago

paulbadcock commented 1 year ago

Container platform

OCP 4

Version

php-80 php-81

OS version of the container image

RHEL 9

Bugzilla, Jira

No response

Description

The 7.x line of containers didn't expose PHP version(s) via HTTP headers

Create an index.php

<html>
<body>
hello <?php print "world"; ?>
</body>
</html>

Use a dockerfile

FROM ubi8/php-73

USER 0
ADD . /tmp/src
RUN chown -R 1001:0 /tmp/src
USER 1001

# Install the dependencies
RUN /usr/libexec/s2i/assemble

# Set the default command for the resulting image
CMD /usr/libexec/s2i/run

Build the container and run

podman build . -t leakage:test
podman run --name leaker -d -p 8080:8080 leakage:test

Verify php is actually running the code in the file

curl http://localhost:8080/index.php
<html>
<body>
hello world</body>
</html>

examine the headers

curl -I http://localhost:8080/index.php
HTTP/1.1 200 OK
Date: Tue, 02 May 2023 20:07:24 GMT
Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
Content-Type: text/html; charset=UTF-8

Now if you flip the build to php 8.1 by simply changing the From line in the Dockerfile to

FROM ubi9/php-81

You can now see the full php version is getting leaked because of the php.ini

curl -I http://localhost:8080/index.php
HTTP/1.1 200 OK
Date: Tue, 02 May 2023 20:09:42 GMT
Server: Apache/2.4.53 (Red Hat Enterprise Linux) OpenSSL/3.0.1
X-Powered-By: PHP/8.1.8
Content-Type: text/html; charset=UTF-8

Introducing in the Dockerfile a fix to remove this

FROM ubi9/php-81

USER 0
ADD . /tmp/src
RUN chown -R 1001:0 /tmp/src

# Tighten up the php ver leak
RUN sed -i "s/^expose_php =.*/expose_php = Off/g" /etc/php.ini

USER 1001

# Install the dependencies
RUN /usr/libexec/s2i/assemble

# Set the default command for the resulting image
CMD /usr/libexec/s2i/run

Corrects the output

curl -I http://localhost:8080/index.php
HTTP/1.1 200 OK
Date: Tue, 02 May 2023 20:12:02 GMT
Server: Apache/2.4.53 (Red Hat Enterprise Linux) OpenSSL/3.0.1
Content-Type: text/html; charset=UTF-8

TL;DR the php version is now in server header's triggering security alerts.

Reproducer

No response

zmiklank commented 1 year ago

Hi, thank you for creating the issue.

I see that this configuration is done on the side of rpm package that is contained in the container images. The expose_php is also enabled by default in upstream, based on their documentation.

@remicollet, hi, do you think the container images could benefit from disabling the expose_php? AFAIK it should have no influence on the functionality of the image (except for the information in the header).

remicollet commented 1 year ago

Hidding version is not a real security feature ;) (and BTW version doesn't really mean something with our security backports)

We also have Apache version displayed ;)

paulbadcock commented 1 year ago

A lot of security scanners don't factor the back port fixes for example as as Remi (btw thanks for all your work on your repo's over time btw) mentioned.

So for our clients that have transitioned from from 7.x to 8.x images now there's a ton of questions of what fixes is back ported because scanners now see "x-powered-by" and flag it as unpatched. Yes security by obscurity is not recommended as protection but the introduction of this is causing more questions :)

As you mentioned tho there's a framework with Apache to disable this with the https-cfg folder and dropping a file like 10-server_signature.conf

ServerTokens ProductOnly
ServerSignature Off

Where this is now defaulting to on it would be nice to have a feature to disable via environment vs custom dockerfiles.

zmiklank commented 1 year ago

So for our clients that have transitioned from from 7.x to 8.x images now there's a ton of questions of what fixes is back ported because scanners now see "x-powered-by" and flag it as unpatched.

If a specific patch for a CVE has been backported to specific version of php can be found on access.redhat.com[1]. [1] https://access.redhat.com/security/security-updates/cve

zmiklank commented 1 year ago

We do not plan to provide this change in Red Hat Enterprise Linux container images because of reasons stated in comments above.

Please raise a ticket through the regular Red Hat support channels if this is important/critical for you.

For information on how to contact the Red Hat production support team, please visit: https://access.redhat.com/support