In the process of reviewing the security of our web server, I found a significant problem with Win2k server. The web and FTP servers use the same directory permissions, so it is not so easy to restrict read permissions on public web directories in the site. This isn’t a problem for HTML documents, which are the same whether viewed in a web browser or downloaded via FTP. It is also not a problem for PERL scripts, which reside in a virtual directory outside of the FTP space. It is a big problem for PHP scripts, which produce HTML when viewed in a web browser but reveal the PHP code when downloaded via FTP!
The source code for open source PHP scripts is already published, so why is this a problem? Most PHP web applications have a config file that contains database login information, and an unscrupulous network user could acquire this information and attempt to modify the database directly. How real is this risk to us? Because of other user limitations, not significant, but it is good practice to close such security holes anyway.
Other prongs of our security structure help keep hackers out. For example, only current network users have FTP access to the web directories. In addition, students only have write access in their personal directories, and they do not have execute permissions there. So, they cannot run scripts from their user directories anyway. Finally, I create a separate mySQL user for each PHP application I install, so that a compromised database login/password will only affect one application (e.g., bulletin board).
The solution to the specific problem of PHP scripts in FTP directories is to move the scripts, much as is done with the PERL cgi-bin. Store the PHP scripts outside of the web directory, for example in a “scripts” folder elsewhere on the web server. Map a corresponding virtual directory in the web site for each PHP script to the appropriate script folder. Then create a separate FTP site for access to that folder. Windows does not allow you to limit FTP access to that folder by user, but it does allow you to restrict by IP address. So I have locked down the scripts folder to my IP addresses only. This does require opening additional firewall ports if you want off-campus access to the FTP site.
Occasionally, I have students who study a scripting language with me as an independent study. I cannot give them any script access on our production web server, because then they would be able to perform read/write operations about anywhere on the drive using their own scripts. The only option, time-consuming as it may be, is to set up a separate web server in the DMZ, so that it only has access to the internet and not to the other servers on the network. Then the student has full access to an unprivileged machine.
That’s pretty good security, as far as I am concerned. Comments are welcome, of course! I love to deepen my knowledge of web server security.