Secure PHP Development- P12

Chia sẻ: Cong Thanh | Ngày: | Loại File: PDF | Số trang:5

Thêm vào BST

Báo xấu

237
lượt xem 5
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Secure PHP Development- P12: Welcome to Secure PHP Development: Building 50 Practical Applications. PHP has come a long way since its first incarnation as a Perl script. Now PHP is a powerful Web scripting language with object-oriented programming support. Slowly but steadily it has entered the non-Web scripting arena often reserved for Perl and other shell scripting languages. Arguably, PHP is one of the most popular Web platforms.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Secure PHP Development- P12

26 Part I: Designing PHP Applications Minimizing User-Input Risks As previously mentioned, user input poses the most likely security risk to your Web applications. Let’s look at a few scenarios for how seemingly harmless and simple programs can be made to do malicious tasks. Running external programs with user input Listing 2-1 shows a simple PHP script called bad_whois.php (bad_ has been added so that you think twice before actually putting this script in any real Web site). Listing 2-1: bad_whois.php
Chapter 2: Understanding and Avoiding Security Risks 27 if (! empty($errors)) { echo “Error: $errors when trying to run $WHOIS”; } ?> This simple script displays the whois database information for a given domain. It can be run like this: http://server/bad_whois.php?domain=evoknow.com The output is shown in Figure 2-1. Figure 2-1: Harmless output of bad_whois.php script. Now what’s wrong with this output? Nothing at all. domain=evoknow.com is used as an argument to execute the /usr/bin/whois program. The result of the script is the way it was intended by the programmer: It displays the whois database query for the given domain. But look what happens when the user runs this same script as follows: http://server/bad_whois.php?domain=evoknow.com;cat%20/etc/passwd
28 Part I: Designing PHP Applications The output is shown in Figure 2-2. Figure 2-2: Dangerous output of bad_whois.php script. The user has supplied domain=evoknow.com;cat%20/etc/passswd, which is run by the script as $runext = exec(“/usr/bin/whois evoknow.com;cat /etc/passwd”, $output); The user has not only supplied a domain name for the whois program but also inserted a second command using the semicolon separator. The second command is cat /etc/passwd, which displays the /etc/passwd file. This is where this simple script becomes a tool for the malicious hackers to exploit system information or even do much more harmful activities such as running the rm -rf command to delete files and directories. Now, what went wrong with the simple script? The script programmer trusted user input and will end up paying a big price for such a misplaced trust. You should never trust user input when you have no idea who the next user is. Listing 2-2 shows an improved version of bad_whois.php script called better_whois.php. Listing 2-2: better_whois.php
Chapter 2: Understanding and Avoiding Security Risks 29 $secureDomain = (! empty($_REQUEST[‘domain’])) ? escapeshellcmd($_REQUEST[‘domain’]) : null; // The WHOIS binary path $WHOIS = ‘/usr/bin/whois’; echo “Running whois for $secureDomain ”; // Execute WHOIS request exec(“$WHOIS $secureDomain”, $output, $errors); // Initialize output buffer $buffer = null; while (list(,$line)=each($output)) { if (! preg_match(“/Whois Server Version/i”, $line)) { $buffer .= $line . ‘’; } } echo $buffer; if (! empty($errors)) { echo “Error: $errors when trying to run $WHOIS”; } ?> If this script is run as http://server/bette_whois.php?domain=evoknow.com;cat%20/etc/passwd it will not run the cat /etc/passwd command, because the escaping of shell characters using the escapeshellcmd() function makes the given domain name evoknow.com\;cat /etc/passwd. Because this escaped version of the (illegal) domain name does not exist, the script doesn’t show any results, which is much better than showing the contents of /etc/passwd. So why didn’t we call this script great_whois.php? Because it still has a user- input-related problem, which is discussed in the next section.
30 Part I: Designing PHP Applications Getting user input in a safe way In the preceding example, we had user input returned to us via the HTTP GET method as part of the URL, as in the following example: http://server/bette_whois.php?domain=evoknow.com When better_whois.php is called, it automatically gets a variable called $domain created by PHP itself. The value of the $domain variable is set to evo- know.com. This automatic creation of input variables is not safe. For an example, take a look at Listing 2-3. Listing 2-3: bad_autovars.php