PHP Security Issues and Options

West Suburban ChicagoPHP Meetup

August 2, 2007

Our Group

● Meets monthly● Usually meets at Starbucks in Glen Ellyn● http://php.meetup.com/381/

Who is this handsome guy?

Dave Ross● BS in Computer Science● Eight years development experience● Six years e-commerce experience● Currently working as a PHP developer

Who is this handsome guy?

Dave Ross● On the Internet since 1994● Using the web since 1995

Reality Check

“ More than half of identity theft cases are inside jobs, says Ms. Collins, who recently completed a study of 1,037 such cases.”

- Judith Collins, associate criminal justice prof. at Michigan State University.

Source: http://www.dallasnews.com/sharedcontent/dws/bus/personalfinance/stories/060605dnbusidtheft.11c0c6694.html

Not Insecure By Nature

FACT: Almost all PHPprograms are writtenfor the web.

The web is a nasty place.

Not Insecure By Nature

FACT: PHP is free andeasy to learn.

PHP is attractive to amateurs who don't have training or experience in security

Not Insecure By Nature

FACT: Apps consideredinsecure have PHP intheir names.

PHPbb, PHPNuke...

Not Insecure By Nature

FACT: register_globalsis evil

What is this, 2001?(Disabled by default since PHP 4.1.0 -- December, 2001)

Common Attack Vectors● Validation circumvention● Code injection● SQL injection● Cookie injection● Mail forms● Cross-site Scripting (XSS)

(This is NOT a complete list by ANY means)

Validation Circumvention● Application might not be

expecting invalid data● Goal is to make the application

blow up in an interesting way● Put application in an invalid state?● Reveal debugging info (database pw)?

Validation Circumvention● Validation on the client side is

good for the user● Validation on the server side is

good for security

Who says you can't do both?

Validation Circumvention

PHP provides functions forinterrogating values

● is_int(), is_float(), is_bool(),is_finite()

● intval(), floatval(), doubleval()● strlen(), strpos()

Code Injection

Don't use parameters asparameters to something else(directly)

$filename = $_REQUEST['message'];

$message = file_get_contents($filename);

print $message;

This is ok: http://example.com/myscript.php?message=hello.txt

But what if I do this?: http://example.com/myscript.php?message=passwords.cfg

Code Injection

This is especially importantfor includes

$module = $_REQUEST['module'];

include(“lib/$module”);

This is ok: http://example.com/cms?module=login.php

But what if I do this?: http://example.com/cms?module=../passwords.ini

Code Injection

Make sure the value is oneyou expected, if not...ERROR!

$requestedModule = $_REQUEST['module'];

switch($requestedModule)

{

case “login”:

$module = “login”; break;case “logout”:

$module = “logout”; break;default:

$module = “error”;}

SQL Injection

Kind of the same thing, butusing SQL

$numChildren = $_REQUEST['children'];

$query = “UPDATE users SET children = $numChildrenWHERE userID = 4”;

$res = mysql_query($query);

This is ok: http://example.com/user.php?children=2.5

But what if I do this?: http://example.com/user.php?children=2.5;DELETE FROM users;

SQL Injection

PHP offers some functionsto help prevent this attack:

● addslashes()● mysql_real_escape_string()● PEAR_MDB2 prepared statements

Cookie Injection

Cookies are just files full of namesand values.

i.e. SESSION=18tsd338,username=dave

What if I changed my username to “admin”?What if I set a cookie value “admin=true”?

Mail Forms

Spammers don't know themeaning of “shame”

● Few mail servers are“open relays” anymore

● Exploit the way PHP talks tomail servers

● Add their own mail headers (To:, Bcc:) or entirely new messages

Mail Forms● Look for the magic string

“\r\n\r\n” in any parameter youpass to mail()(except the actual message)

● Be sure email addresses areformatted correctly – usepreg_match()

● See June, 2007 issue ofPHP|Architect

Cross-site Scripting

If I can include HTML or a scriptin a page, I can make your browserpass a request to another site.

<img src=”http://myspace.com?action=deleteMyAccount&really=yesPlease”width=”0” height=”0” />

Cross-site ScriptingNonce (n); the present, or immediate, occasion or purpose

(origin: Middle English, 1150-1200)

Cryptographic Nonce: A bit or string only used once.

● Put a hidden value in a form andremember it (put it in their session).

● PHP function uniqid()● When the user submits that form,

make sure the nonce matcheswhat you sent them.

● Someone has to submit that same form (or know the nonce) for a valid request.

Tools● PHPSecAudit

http://developer.spikesource.com/projects/phpsecaudit/

● Web Developer ToolbarsFirefox: http://chrispederick.com/work/web-developer/

Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038

(Just google “IE7 web developer toolbar”)

● Firebughttp://www.getfirebug.com/

PHPSecAuditAnalyzing file: ./test.php . . . . . .

The followings are function calls that need input sanitization:

I. 1

./test.php: 12, HIGH: exec

Context: exec($module);

Argument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.

Web Developer Toolbars● View details about a page (HTML,

CSS, Cookies, Javascript)● View/change things you normally

can't (CSS, Cookies, password fields)

Firebug● View page as a tree of tags● Edit page in the browser● Edit field values● Edit Javascript

Tools(Write these URLs down!)

● PHPSecAudithttp://developer.spikesource.com/projects/phpsecaudit/

● Web Developer ToolbarsFirefox: http://chrispederick.com/work/web-developer/

Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038

(Just google “IE7 web developer toolbar”)

● Firebughttp://www.getfirebug.com/

Going Forward● Read PHP blogs/publications

– blog.php-security.org– PHP|Architect– Open Web Application Security

Project (OWASP)– www.php.net/manual/en/security.php

● PLAY! “What if I change this value?”● Don't say “I'll go back and make

it secure later.” Later never comes.

Picture Credit● Lock graphic is “padlocks#3”

by “sp4mdi55”● http://www.flickr.com/photos/

ciderpunx/95777022/