Re: Anyone have some basic security tips for PHP-programmers?

["James Mitchell" <reductor () askmiky com>]

Hello,

You have just posted a very easy to spot, very easy to exploit security
hole.

Here are just a few ways to exploit it.

Your first code block:
1. Request Variables, containing variables will be evaluated. (e.g.
$config[mysql_pass])
2. The keys will not be escaped
(file.php?a%3D1%3B+print+file_get_contents%28%22%2Fetc%2Fshadow%22%29%3B+%2F
%2F=hacked)
3. Your setting globals, easy to overwrite things
(file.php?_SERVER[REMOTE_ADDR]=127.0.0.1)

Your second code block:
1. file.php?FUNCTION_INIT=file_get_contentsl&ARG1=/etc/shadow&ARG1_VAL=0

A few things.
1. ; is not used in mysql_query
2. eval is slow
3. Globals are bad

----- Original Message -----
From: <arek () chelmnet pl>
To: <webappsec () securityfocus com>
Sent: Tuesday, November 18, 2003 8:56 AM
Subject: RE: Anyone have some basic security tips for PHP-programmers?


> Good Night (here in Poland)
> > Good Morning (at least here in Nevada)
>
> > Anyone have any hints for good PHP practices  (Looking for kind of a
"This
> > is one of the most common PHP security flaws" kind of thing)?
> Firstly , the easiest way to enable the following lines for every .php
> script, or into master index.php :
>
>
> foreach ($_GET as $k => $v) {
>  $_GET[$k]=addslashes($_GET[$k]);
>  $v=addslashes($v);
>  $v=ereg_replace(';','',$v);
>  eval(" \$$k = \"$v\" ;");
> }
> foreach ($_POST as $k => $v) {
>  $_POST[$k]=addslashes($_POST[$k]);
>  $v=addslashes($v);
>  $v=ereg_replace(';','',$v);
>  eval(" \$$k = \"$v\" ;");
> }
>
> - this will probably tottally protect you against SQL_INJECTIONS (but you
> cant use ';` or others in 2 way db simply)
>
>
> the next good way is keeping track of openning user items on your site in
> that way:
>
> all of functions (object of your web) are iniciated by one function, eg :
>
> function FUNCTION_INIT() {
> global $this,$FUNCTION_INIT,$ARG1,$ARG1_VAL;
> if($FUNCTION_INIT) {
>  if(!($_SESSION[CURRENT_FUNCTION]==$FUNCTION_INIT)) {
>   $_SESSION[LAST_FUNCTION]=$_SESSION[CURRENT_FUNCTION];
>   $_SESSION[LAST1_FUNCTION]=$_SESSION[LAST_FUNCTION];
>  }
>  $_SESSION[CURRENT_FUNCTION]=$FUNCTION_INIT;
> }
> if($_POST[FUNCTION_INIT]) { $_POST[FUNCTION_INIT]($ARG1,$ARG1_VAL) ;
>    } else if($FUNCTION_INIT) {
>     $FUNCTION_INIT($ARG1,$ARG1_VAL);
> }
>
>
> which are executed by URL:
> ....php?FUNCTION_INIT=show_something&ARG1=ID&ARG1_VAL=132
>
> the main concept of that is: i keep secured, what function is accessible
> from what other function...
> you can then easily control accessing the functions.
> I use session_variables.
>
> remember to verify, (whe submitting) if user has permitions for access the
> record he wants to update/delete. You must enable in db_query function the
> same select, and verify that, user has clicked URL on that what he has
seen
> on his web explorer, or he is hacking and type other ID, which he normally
> wouldn't see.
>
> A.Binder