PHP Security Issues and Options
West Suburban Chicago
PHP Meetup
August 2, 2007

Our Group
Meets monthly
●
Usually meets at Starbucks in Glen Ellyn
●
http://php.meetup.com/381/
●

Who is this handsome guy?
Dave Ross
BS in Computer Science
●
Eight years development experience
●
Six years e-commerce experience
●
Currently working as a PHP developer
●

Who is this handsome guy?
Dave Ross
On the Internet since 1994
●
Using the web since 1995
●

Reality Check
“ More than half of identity theft
cases are inside jobs, says Ms.
Collins, who recently completed
a study of 1,037 such cases.”
- Judith Collins, associate criminal justice prof. at
Michigan State University.
Source:
http://www.dallasnews.com/sharedcontent/dws/bus/
personalfinance/stories/060605dnbusidtheft.11c0c6
694.html

Not Insecure By Nature
FACT: Almost all PHP
programs are written
for the web.
The web is a nasty place.

Not Insecure By Nature
FACT: PHP is free and
easy to learn.
PHP is attractive to amateurs
who don't have training or
experience in security

Not Insecure By Nature
FACT: Apps considered
insecure have PHP in
their names.
PHPbb, PHPNuke...

Not Insecure By Nature
FACT: register_globals
is evil
What is this, 2001?
(Disabled by default since PHP 4.1.0 -- December, 2001)

Common Attack Vectors
Validation circumvention
●
Code injection
●
SQL injection
●
Cookie injection
●
Mail forms
●
Cross-site Scripting (XSS)
●
(This is NOT a complete list by ANY means)

Validation Circumvention
Application might not be
●
expecting invalid data
Goal is to make the application
●
blow up in an interesting way
Put application in an invalid state?
●
Reveal debugging info (database pw)?
●

Validation Circumvention
Validation on the client side is
●
good for the user
Validation on the server side is
●
good for security
Who says you can't do both?

Validation Circumvention
PHP provides functions for
interrogating values
is_int(), is_float(), is_bool(),
●
is_finite()
intval(), floatval(), doubleval()
●
strlen(), strpos()
●

Code Injection
Don't use parameters as
parameters to something else
(directly)
$filename = $_REQUEST['message'];
$message = file_get_contents($filename);
print $message;
This is ok: http://example.com/myscript.php?message=hello.txt
But what if I do this?: http://example.com/myscript.php?message=passwords.cfg

Code Injection
This is especially important
for includes
$module = $_REQUEST['module'];
include(“lib/$module”);
This is ok: http://example.com/cms?module=login.php
But what if I do this?: http://example.com/cms?module=../passwords.ini

Code Injection
Make sure the value is one
you expected, if not...ERROR!
$requestedModule = $_REQUEST['module'];
switch($requestedModule)
{
case “login”:
$module = “login”; break;
case “logout”:
$module = “logout”; break;
default:
$module = “error”;
}

SQL Injection
Kind of the same thing, but
using SQL
$numChildren = $_REQUEST['children'];
$query = “UPDATE users SET children = $numChildren
WHERE userID = 4”;
$res = mysql_query($query);
This is ok: http://example.com/user.php?children=2.5
But what if I do this?: http://example.com/user.php?children=2.5;DELETE FROM users;

SQL Injection
PHP offers some functions
to help prevent this attack:
addslashes()
●
mysql_real_escape_string()
●
PEAR_MDB2 prepared statements
●

Cookie Injection
Cookies are just files full of names
and values.
i.e. SESSION=18tsd338,
username=dave
What if I changed my username to “admin”?
What if I set a cookie value “admin=true”?

Mail Forms
Spammers don't know the
meaning of “shame”
Few mail servers are
●
“open relays” anymore
Exploit the way PHP talks to
●
mail servers
Add their own mail headers (To:, Bcc:) or
●
entirely new messages

Mail Forms
Look for the magic string
●
“\\r\\n\\r\\n” in any parameter you
pass to mail()
(except the actual message)
Be sure email addresses are
●
formatted correctly – use
preg_match()
See June, 2007 issue of
●
PHP|Architect

Cross-site Scripting
If I can include HTML or a script
in a page, I can make your browser
pass a request to another site.
<img src=”http://myspace.com?
action=deleteMyAccount&really=yesPlease”
width=”0” height=”0” />

Cross-site Scripting
Nonce (n); the present, or immediate, occasion or purpose
(origin: Middle English, 1150-1200)
Cryptographic Nonce: A bit or string only used once.
Put a hidden value in a form and
●
remember it (put it in their session).
PHP function uniqid()
●
When the user submits that form,
●
make sure the nonce matches
what you sent them.
Someone has to submit that same form (or know the
●
nonce) for a valid request.

Tools
PHPSecAudit
●
http://developer.spikesource.com/projects/phpsecaudit/
Web Developer Toolbars
●
Firefox: http://chrispederick.com/work/web-developer/
Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?
FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038
(Just google “IE7 web developer toolbar”)
Firebug
●
http://www.getfirebug.com/

PHPSecAudit
Analyzing file: ./test.php . . . . . .
The followings are function calls that need input sanitization:
I. 1
./test.php: 12, HIGH: exec
Context: exec($module);
Argument 1 to this function call should be checked to ensure that it does not come from
an untrusted source without first verifying that it contains nothing dangerous.

Web Developer Toolbars
View details about a page (HTML,
●
CSS, Cookies, Javascript)
View/change things you normally
●
can't (CSS, Cookies, password fields)

Firebug
View page as a tree of tags
●
Edit page in the browser
●
Edit field values
●
Edit Javascript
●

Tools
(Write these URLs down!)
PHPSecAudit
●
http://developer.spikesource.com/projects/phpsecaudit/
Web Developer Toolbars
●
Firefox: http://chrispederick.com/work/web-developer/
Internet Explorer 7: http://www.microsoft.com/downloads/details.aspx?
FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038
(Just google “IE7 web developer toolbar”)
Firebug
●
http://www.getfirebug.com/

Going Forward
Read PHP blogs/publications
●
blog.php-security.org
–
PHP|Architect
–
Open Web Application Security
–
Project (OWASP)
www.php.net/manual/en/security.php
–
PLAY! “What if I change this value?”
●
Don't say “I'll go back and make
●
it secure later.” Later never comes.

Picture Credit
Lock graphic is “padlocks#3”
●
by “sp4mdi55”
http://www.flickr.com/photos/
●
ciderpunx/95777022/