Using Burp to intercept traffic and inject code we have identified remote code execution vulnerability in a website. After entering data in input fields on the form and clicking submit the traffic was intercepted and the following commands were added to the request in the value of the input fields
%27%2bsystem(%22id%22)%2b%27
To fix it we have done the recommended hardening
- On all the input fields we have done the input sanitization. We we have allowed only digits and put a limit on the number of digits allowed. We have also used the functions such as htmlspecialchars , escapeshellcmd, escapeshellargs etc.
This did not help. What I am not able to understand here is that if they intercept the traffic,how are they able to bypass the input validation I have put on the form
- So when we were able to intercept traffic and inject system command we checked the userid and removed shell access for this userid In etc/passwd it was /bin/bash for this user, we removed the access and verified that it was updated to /bin/false for this user
This also did not help
- The user whose id was displayed using code injection is the owner of the website home directory. We didn't try changing the ownership but We tried removing execute permissions for this user on the home directory, but then the site itself became inaccessible and was giving 403 forbidden error.
So the execute permissions for this user and other users in the same group was retained
We have used disable_functions in php.ini to disable most of the recommended functions such as exec,system etc. We have Restarted httpd , I was hopeful that this would solve the issue, but still the issue exists. We have also used other directives such as Session cookie secure,Cookie httponly,session.referer_check,session.use_strict_mode etc. but all in vain
We tried removing the execute permission on /usr/bin for all users other than root. With this the vulnerability was fixed, but after sometime the site itself became inaccessible. The database was not starting as it needed these permissions. Hence we reverted back the permissions.
Could you please let me know if there is anything else that I can try or if I need to provide more information?