Re: Anyone have some basic security tips for PHP-programmers?

["James Mitchell" <reductor () askmiky com>]

Hello,

For your first block of code, I recommend you use this instead:

foreach($_GET as $k=>$v) {
$v=addslashes($v);
$v=str_replace(';','',$v);
$_GET[$k]=$v;
}

And the same for _POST, how ever this will not absolutely prevent it.

One method of detection would be the following, how ever its not completely
fool proof, but helps.

foreach($_REQUEST as $k=>$v) {
if(strpos($v,'1=1')!==false || strpos(strtoupper($v),'UNION
SELECT')!==false) {
// Set a session or something here, to monitor this users activitys.
}
}

This will mean when people attempt stuff, you will be watching them and know
who they are.

For your function, system I recommend the following.

$valid_funcs = array('main','contact','services','whatever');
if(!isset($_REQUEST['func']) || (!in_array($_REQUEST['func'],$valid_funcs)))
{
$_REQUEST['func'] = 'main';
}
call_user_func($_REQUEST['func'],$_REQUEST['ARG1'],$_REQUEST['ARG1_VAL']);

Thanks,
James Mitchell




----- Original Message -----
From: <arek () chelmnet pl>
To: "James Mitchell" <reductor () askmiky com>; <webappsec () securityfocus com>
Sent: Thursday, November 20, 2003 11:50 AM
Subject: RE: Anyone have some basic security tips for PHP-programmers?


> > Your first code block:
> > 1. Request Variables, containing variables will be evaluated. (e.g.
> > $config[mysql_pass]
> OK, so we should to escape or drop $,,,[,],etc...
> > 2. The keys will not be escaped
>
> > (file.php?a%3D1%3B+print+file_get_contents%28%22%2Fetc%2Fshadow%22
> > %29%3B+%2F
> > %2F=hacked)
> Hmm,
>
> > 3. Your setting globals, easy to overwrite things
> > (file.php?_SERVER[REMOTE_ADDR]=127.0.0.1)
>
> I tried that -this is not vunlereable ...
>
> > Your second code block:
> > 1. file.php?FUNCTION_INIT=file_get_contentsl&ARG1=/etc/shadow&ARG1_VAL=0
>
> Yea, thanks, i forgot about php specific functions that can be
> NITIATED...  - must validiate that step.
> that's really big BUG...
>
> > A few things.
> > 1. ; is not used in mysql_query
> > 2. eval is slow
> how then you evaluate your result in case when you need to use fragment of
> other variable as your variable ?
> > 3. Globals are bad
> what you use instead ??? cookies ?
> i put in globals after every login the user preferences , not to check it
> every time he goes on site,,, and ofcourse the cookie size is too big.
> in global array i have specific columns permition of R/W/X, related on
every
> type of menu function in R/W/X too, and / or his web page preferences
(which
> column to hide, which to show)
> how other way to do that ? i think that globals are fast, and faster than
> SQL...
> ? so do you prefer to what? creating dynamic of splitted temporary files
for
> every logon with needed and authirized variables , with correct ammount
for
> every type of needed request in them?
>
>
>
> A.Binder