WebApp Sec mailing list archives
Re: Anyone have some basic security tips for PHP-programmers?
From: "James Mitchell" <reductor () askmiky com>
Date: Wed, 19 Nov 2003 13:58:08 +1100
Hello, You have just posted a very easy to spot, very easy to exploit security hole. Here are just a few ways to exploit it. Your first code block: 1. Request Variables, containing variables will be evaluated. (e.g. $config[mysql_pass]) 2. The keys will not be escaped (file.php?a%3D1%3B+print+file_get_contents%28%22%2Fetc%2Fshadow%22%29%3B+%2F %2F=hacked) 3. Your setting globals, easy to overwrite things (file.php?_SERVER[REMOTE_ADDR]=127.0.0.1) Your second code block: 1. file.php?FUNCTION_INIT=file_get_contentsl&ARG1=/etc/shadow&ARG1_VAL=0 A few things. 1. ; is not used in mysql_query 2. eval is slow 3. Globals are bad ----- Original Message ----- From: <arek () chelmnet pl> To: <webappsec () securityfocus com> Sent: Tuesday, November 18, 2003 8:56 AM Subject: RE: Anyone have some basic security tips for PHP-programmers?
Good Night (here in Poland)Good Morning (at least here in Nevada)Anyone have any hints for good PHP practices (Looking for kind of a
"This
is one of the most common PHP security flaws" kind of thing)?Firstly , the easiest way to enable the following lines for every .php script, or into master index.php : foreach ($_GET as $k => $v) { $_GET[$k]=addslashes($_GET[$k]); $v=addslashes($v); $v=ereg_replace(';','',$v); eval(" \$$k = \"$v\" ;"); } foreach ($_POST as $k => $v) { $_POST[$k]=addslashes($_POST[$k]); $v=addslashes($v); $v=ereg_replace(';','',$v); eval(" \$$k = \"$v\" ;"); } - this will probably tottally protect you against SQL_INJECTIONS (but you cant use ';` or others in 2 way db simply) the next good way is keeping track of openning user items on your site in that way: all of functions (object of your web) are iniciated by one function, eg : function FUNCTION_INIT() { global $this,$FUNCTION_INIT,$ARG1,$ARG1_VAL; if($FUNCTION_INIT) { if(!($_SESSION[CURRENT_FUNCTION]==$FUNCTION_INIT)) { $_SESSION[LAST_FUNCTION]=$_SESSION[CURRENT_FUNCTION]; $_SESSION[LAST1_FUNCTION]=$_SESSION[LAST_FUNCTION]; } $_SESSION[CURRENT_FUNCTION]=$FUNCTION_INIT; } if($_POST[FUNCTION_INIT]) { $_POST[FUNCTION_INIT]($ARG1,$ARG1_VAL) ; } else if($FUNCTION_INIT) { $FUNCTION_INIT($ARG1,$ARG1_VAL); } which are executed by URL: ....php?FUNCTION_INIT=show_something&ARG1=ID&ARG1_VAL=132 the main concept of that is: i keep secured, what function is accessible from what other function... you can then easily control accessing the functions. I use session_variables. remember to verify, (whe submitting) if user has permitions for access the record he wants to update/delete. You must enable in db_query function the same select, and verify that, user has clicked URL on that what he has
seen
on his web explorer, or he is hacking and type other ID, which he normally wouldn't see. A.Binder
Current thread:
- Anyone have some basic security tips for PHP-programmers? Matthews, Chris (Nov 14)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- <Possible follow-ups>
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)