Why is getpics.php causing an error message in cPanel?

**kuau** · 04-26-2021, 06:26 PM

1) Script Title: PHP Photo Album script v2.11

2) Script URL (on DD): http://dynamicdrive.com/dynamicindex...photoalbum.htm

3) Describe problem: Even though there is no problem manifesting on the webpage itself (ie. the script is working fine), I am getting this error in the cPanel Error Log file... I can't imagine why this tiny script would be seen by ModSecurity as a "suspicious access attempt" and wonder if something needs to be updated...

Code:

[Sun Apr 25 15:08:58.894782 2021] [:error] [pid 7414:tid 47872391812864] [client 72.234.63.40:63973] [client 72.234.63.40] ModSecurity: Warning. 
Pattern match "(\\\\/(images|img(s)?|pictures|upload(s)?)\\\\/[^\\\\.]{0,108}\\\\.(pht|phtml|php\\\\d?$))" at REQUEST_URI. 
[file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/004_i360_4_custom.conf"] [line "27"] [id "77140735"] 
[msg "IM360 WAF: Suspicious access attempt (webshell)!||MVN:REQUEST_URI||T:APACHE||MV:/img/catering/getpics.php||
SC:/home/****/public_html/mauinuifarm.com/img/catering/getpics.php"] [tag "service_i360custom"] [tag "noshow"] 
[hostname "www.mauinuifarm.com"] [uri "/img/catering/getpics.php"] [unique_id "YIXoevfhNYp8dRd51YAvvgAAAEI"], 
referer: https://mauinuifarm.com/

Here is the code for getpics.php... I replaced the eregi with preg_match when eregi was deprecated...

Code:

<?php
Header("content-type: application/x-javascript");

function returnimages($dirname=".") {
   $pattern='/\.(jpg|jpeg|png|gif|bmp)$/i';
   $files = array();
   $curimage=0;
   if($handle = opendir($dirname)) {
       while(false !== ($file = readdir($handle))){
               if(preg_match($pattern, $file)){
		 $filedate=date ("M d, Y H:i:s", filemtime($file));
                 echo 'galleryarray[' . $curimage .']=["' . $file . '", "'.$filedate.'"];' . "\n";
                 $curimage++;
               }
       }

       closedir($handle);
   }
   return($files);
}

echo "var galleryarray=new Array();" . "\n";
returnimages();
?>

**james438** · 04-27-2021, 03:20 AM

In my experience, these "malicious code detectors" tend to be overly sensitive.

I usually look at their warnings and the file they are referring to, check to see that it is working as it should and that there is no way to access the page without the correct login credentials, notice everything is fine and secure, then roll my eyes and go back to what I was doing.

My hosting service gives me this service for free and then tells me I can keep it if I pay $$ for continued service. I always am happy when their free service, that I didn't ask for, expires.

To be fair, I have seen some files detected by this service that I did not like and got rid of them because they did indeed look malicious, but the vast majority of these reports should be reviewed and ignored.

P.S. I still use this script on my site too

**keyboard** · 04-27-2021, 06:06 AM

Hey kuau, just wanted to add onto what James has already said. Disclaimer that I've never used Imunify360!
It appears that the security warning is not a result of PHP Photo Album script v2.11. The warning you shared was caused by someone accessing the page at /img/catering/getpics.php

There’s a lot of information in the warning, so I’ll try and comment on a few of the key points:

Pattern match "(\\\\/(images|img(s)?|pictures|upload(s)?)\\\\/[^\\\\.]{0,108}\\\\.(pht|phtml|php\\\\d?$))" at REQUEST_URI.

This is the actual security rule that triggered the alert. It’s looks a bit mangled, as it was probably escaped when it was printed to the logging file, but the regex is (essentially)
/(images|img(s)?|pictures|upload(s)?)\/[^\.]{0,108}\.(pht|phtml|php\d?)/

This regex is looking for an image folder that contains a .php file. It matches against URIs, such as “/img/file.php”. Try playing with it on Regexr if you want to understand it a bit better - https://regexr.com/5rm6c (I blanked out some personal info).

Note where it says, “at REQUEST_URI”. This regex is being compared against the request URI. This means:

✖ This security rule is not checking the contents of the file at location /img/catering/getpics.php.
✖ This security rule is not checking through all the files on your webserver and checking if they match the rule.
✔ This rule was triggered because a user visited your site and went to that location.

The rule ID is “77140735” and should be stored in the file /etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/004_i360_4_custom.conf.

The big question… why?
A big concern for any website that allows their users to upload files is ensuring that these files won’t cause damage. One of the most common type of file uploads is images, and, in the regex, you can see it is checking for common upload directory names – /images/, /img(s)/, /pictures/, /upload(s)/. It's looking for PHP files that are stored inside a directory named as above (.pht, .phtml, and .php are all file extensions for PHP scripts). This security rule is designed to alert the administrator if someone manages to upload a PHP file to the server (instead of an image, per say).

Now the warning message is making sense – IM360 WAF: Suspicious access attempt (webshell)!. Imagine the following scenario:

Malicious user goes to a website to upload their profile picture.
Instead of a picture, the user uploads a PHP script.
The server doesn’t validate the user’s input, and it stores the PHP script on the server.
The script that the user uploaded was a web shell.
The user goes to the location of their uploaded file to try and use their web shell.

It is at this last stage, when the user visits the file on the server, that the security rule would trigger. So that should explain why you’re getting this warning. Someone visited the PHP file located at /img/catering/getpics.php. It just so happens that, in this instance, the script is legitimate (wasn’t uploaded by a user). If you want to avoid the error, move your PHP script so that it is not inside of the /img/ directory.

**kuau** · 04-29-2021, 11:01 PM

Dear James: Thanks. Your reply made me laugh because I know that feeling of rolling my eyes and just carrying on. Ultimately, it does seem to be a false alarm, thank god.

**kuau** · 04-30-2021, 12:57 AM

Dear keyboard: Now that was a very detailed reply, I must say! I do have an inquisitive mind so I really appreciate your taking the time to explain why. I read carefully and went to regexr.com. Can't say I understand everything 100% but I do see what triggered the messages and that there is nothing to worry about. The getpics.php script IS from dynamic drive here http://dynamicdrive.com/dynamicindex...umpics.php.txt. I renamed it because I was originally using an older version. Not sure why DD hasn't upgraded this script to use preg_match rather than eregi. I believe getpics.php has to be in each image directory to retrieve thumbnails of the images in that folder. I certainly wouldn't know how to modify the script so that getpics.php could be located somewhere else. I use it A LOT. Years ago John Scheuer was kind enough to help me put Swiss Army slideshow together with the Photo Album script to display art images. I really love how it works. I think I probably should upgrade to 2.11 but I am just so busy. Anyway, mahalo plenty for answering my questions. I wish I had you and James as teachers when I was a kid. aa

**keyboard** · 05-01-2021, 12:09 AM

Originally Posted by kuau

Dear keyboard: Now that was a very detailed reply, I must say! I do have an inquisitive mind so I really appreciate your taking the time to explain why. I read carefully and went to regexr.com. Can't say I understand everything 100% but I do see what triggered the messages and that there is nothing to worry about.

No problem, I'm glad it helped!

Originally Posted by kuau

The getpics.php script IS from dynamic drive here http://dynamicdrive.com/dynamicindex...umpics.php.txt. I renamed it because I was originally using an older version.

Ah, I meant to say that it was the name/location of the php file that was causing it to match, not the contents of the file. I didn’t mean to say it wasn’t a script from DD; my apologies for the confusion!

Originally Posted by kuau

Not sure why DD hasn't upgraded this script to use preg_match rather than eregi. I believe getpics.php has to be in each image directory to retrieve thumbnails of the images in that folder. I certainly wouldn't know how to modify the script so that getpics.php could be located somewhere else.

Some of the scripts are a bit outdated. Hopefully, we’ll get around to updating them soon(ish…).

Originally Posted by kuau

I use it A LOT. Years ago John Scheuer was kind enough to help me put Swiss Army slideshow together with the Photo Album script to display art images. I really love how it works. I think I probably should upgrade to 2.11 but I am just so busy.

I’ve just been looking at the script, and there’s definitely some room for modernising. Is this something you think would be worthwhile?

Originally Posted by kuau

Anyway, mahalo plenty for answering my questions. I wish I had you and James as teachers when I was a kid. aa

My pleasure! Always feel free to ask more questions.

**kuau** · 05-01-2021, 01:13 AM

YES! I think it would be very worthwhile to modernize the scripts. I can't be the only one using it. Everything fancy on my sites came from DD. A few years back I asked John Scheuer if there were a responsive version of the Swiss Army slideshow and he asked me if I could help him do it by providing feedback, which I would love to do, but I did not have a cell phone at the time. Right now I have a loaned cell phone of someone who owes me money so I could now provide feedback on how it looks on a cell phone. I am eager to do whatever I can to help but my knowledge of php is limited even though I try to learn as much as I can. You wouldn't believe how long it is taking me to write that login script you helped me with because I couldn't find a good one online. I use this little script I found years ago to generate a verification code to send to someone registering for an account, but the value keeps disappearing. It works when I test it separately but then within the file it gives no value. It is making me crazy. Back to getpics.com, I do a website for my HOA with lots of slideshows of landscaping photos (I am Board Pres but also do the landscaping as a volunteer). It is also a way for me to keep the photos organized so I love to have the slideshow at the top with the thumbnails below that can be blown up by clicking the thumbnail. Love seeing the before and after pics.

Is there something the matter with this script below? It was for generating passwords but in this case I just need an email verification code.

Code:

<?php  // Generate a random password

function generateVerify ($length = 6){
	
	$verify = ""; // start with a blank password

	// define possible characters - any character in this string can be picked for use in the password, 
	// so if you want to put vowels back in or add special characters such as exclamation marks, this is 
	// where you should do it
	$possible = "1234567890";
//	$possible = "2346789abcdefghjkmnpqrstvwxyzABCDFGHJKLMNPQRTVWXYZ";

	// we refer to the length of $possible a few times, so let's grab it now
	$maxlength = strlen($possible);

	// check for length overflow and truncate if necessary
	if ($length > $maxlength) {
		$length = $maxlength;
	} 
	
	$i = 0; // set up a counter to track how many characters are in the password so far	
	while ($i < $length){ // add random characters to $password until $length is reached		
		$char = substr($possible, mt_rand(0, $maxlength-1), 1);	// pick a random character from the possible ones			
		if (!strstr($verify, $char)) { // have we already used this character in $password?			
			$verify .= $char; // no, so it's OK to add it onto the end of whatever we've already got...			
			$i++; // ... and increase the counter by one
		}
	} // done!
	return $verify;
}
//$vcode = generateVerify ();
//echo "Vcode: " .$vcode. "<br>"; echo "Verify: " .$verify;
?>

Then in the registration script I have this...

Code:

  include('vcode-generate.php');
  $vcode = generateVerify ();

But it shows no value except when I echo the value in the vcode-generate.php file. It makes no sense to me. As always, any help will be greatly appreciated. It is for a community calendar I have inherited from a former client. I have been trying to retire but find I am doing even more work now with the only difference that I no longer get paid lol. aa

**keyboard** · 05-01-2021, 07:43 AM

Thanks for the feedback! I’m busy over the next few weeks with exams, but I may look into it after that. If you get stuck with anything regarding the login script, you’re always welcome to make a thread and ask!

Regarding the code you posted, I tested it printing from both the include and the secondary page. No issues for me with either, so I’m not sure what’s happening there sorry.

That said, I’d recommend taking a look at the script below, from Stack Overflow.
Simple to use, and random_int is cryptographically secure (while mt_rand isn’t).

PHP Code:


<?php
/**
 * Generate a random string, using a cryptographically secure 
 * pseudorandom number generator (random_int)
 *
 * This function uses type hints now (PHP 7+ only), but it was originally
 * written for PHP 5 as well.
 * 
 * For PHP 7, random_int is a PHP core function
 * For PHP 5.x, depends on https://github.com/paragonie/random_compat
 * 
 * @param int $length      How many characters do we want?
 * @param string $keyspace A string of all possible characters
 *                         to select from
 * @return string
 */
function random_str(
    int $length = 64,
    string $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
): string {
    if ($length < 1) {
        throw new \RangeException("Length must be a positive integer");
    }
    $pieces = [];
    $max = mb_strlen($keyspace, '8bit') - 1;
    for ($i = 0; $i < $length; ++$i) {
        $pieces []= $keyspace[random_int(0, $max)];
    }
    return implode('', $pieces);
}
?>

**kuau** · 05-01-2021, 11:43 PM

Great, thanks! I'll try the Stack Overflow script. I also plan to check if there is a built-in function in php 8.0 that does this but haven't yet. Good luck on your exams! Thanks, aa

**keyboard** · 05-02-2021, 01:52 AM

There is the php 7.0 function random_bytes which you can use. I used the other example because it gives you more flexibility and control over the output. If you use random_bytes, you’ll need to convert the output into a readable format, using something like bin2hex.
The disadvantage of this approach is that the output is limited to hexidecimal characters (a-f + 0-9) .

E.g.,

PHP Code:


$bytes = random_bytes(4);
echo bin2hex($bytes); //Each byte will be represented by two hex chars, so you’ll always end up with 2* the number of bytes defined above (and therefore, always an even length output).