Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)

Similar presentations

Presentation on theme: "PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)"— Presentation transcript:

1 PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)

2 Secure Web Applications Most security issues have to do with: –hacker attacks denial of service server hijacking –common threats –compromise of data

3 Basic Rule Never trust user input –Poorly or unvalidated user input constitutes the most severe security problem with web applications can crash a server can cause buffer overflows –can allow machine to be hijacked –allow hacker to have root access –Assume user input is bad until you prove its OK

4 Global Variable Scope In versions of PHP earlier than 4.2.0 many external variables were defaulted to global scope, variables couldn’t be trusted <?php if (authenticate_user()) { $authenticated = true; } … if (!$authenticated) { die (“Authorization required”) } ?> If you set $authenticated to 1 via a GET: the last test would pass, when it shouldn’t

5 Global Variable Scope (more) Since PHP 4.1.0 register_globals has been deprecated; GET, POST, Cookie, Server, Environment and Session variables are no longer in the global scope. There are several new arrays to help developers writing applications: $_GET, $_POST, $COOKIE, $_SERVER, $_ENV, $_REQUEST, $_SESSION <?php $_SESSION[‘authenticated’] = false; if (authenticate_user( )) {$_SESSION[‘authenticated’] = true;} …. If ($_SESSION[‘authenticated’]) { die (“Authorization required”);} ?>

6 Database Interaction Most PHP application use data entered from a form to build SQL queries, this can cause a security risk. Assume a script that edits data from some table with a form that POSTs to the same script. The beginning of the script checks to see if the form was submitted then updates the user chosen table. <?php if ($update_table_submit) { $db -> query(“update $table set name=$name); > ?> If you don’t validate variable $table it could be set to any table via a GET ord%3Daaa+where+user%3D%27admin%27%+%23 update users set password=aaa where user=“admin” # set name=$name

7 Calling External Programs Sometimes you need to call external programs (using system( ), exec( ), popen( ), passthru( ), or the back-tick operator), this is extreemly dangerous if the program name or any of its arguments are based on user input. Instead use escapeshellarg( ) or escapeshellcmd( ) so that users can’t trick the system into executing arbitrary commands. The user could control $to to yield:$ which would result in running the command: /usr/sbin/sendmail -i /etc/passwd; rm * a solution would be: $fp = popen(‘/usr/sbin/sendmail -i ‘. escapeshellarg($to), ‘w’);

8 File Uploads User uploaded file can be a problem because of the way that PHP handles them. PHP will define a variable in the global scope that has the same name as the file input tag in the submitted web form. Then it will create this file with the uploaded file content but not check if the filename is valid or is the uploaded file. <?PHP if ($upload_file && $fn_type = = ‘image/gif’ && $fn_size < 100000) { copy($fn,’images/’); unlink($fn); ?> <form method=“POST” name=“fileupload” action=“fupload.php” enctype=“multipart/form-data”> File: a malicious user could create his own file specifying the name of some file containing sensitive information and submit it, resulting in the processing of the other file…...

9 File Uploads (cont.) this would move the file /var/www/html/index.html to /images a fix would be: <?php if ($upload_file && $_FILES[‘fn’][‘type’] = = ‘image/gif’ && $_FILES[‘fn’][‘size’] < 100000) { move_uploaded_file($_FILES[‘fn’][‘tmp_name’],’images/’); } ?>

10 Include Files PHP allows you to include files in your script via include( ), include_once( ), requires( ), and requires_once( ). This is convenient and aids maintainability and reuse but is dangerous. Suppose you have a script that includes several HTML file and displays them in the proper layout: If someone were to pass the $layout variable through a GET; just think…. -or- where nasty.html contains: <?php passthru(‘rm *’); passthru(‘mail </passwd);

Download ppt "PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)"

Similar presentations

Ads by Google