Re: Mambo, Coppermine and PHPBB Attacks

[Andrew van der Stock <vanderaj () greebo net>]

Hi Yasuo,

I read your entire post, but the OWASP Guide will be sticking to the  
basic points:

a) unnecessary features which introduce unnecessary vulnerabilities  
should be off by default
b) software written in PHP should be written with allow_url_fopen off  
and magic_quotes_gpc (and friends) off
c) software should WARN or STOP the installation if the above are set  
to on as they are insufficient, insecure and give a false sense of  
security
d) in general, PHP's "safe" mode is not safe, often trivially  
defeated, and is not a good substitute for a proper sandbox and a  
good security architecture

I have spoken to Chris Shifflet about this, and our discussions and a  
document he proofed for me, formed the basis of this year's SANS Top  
20 for PHP, which will now be a separate article on the OWASP main  
site as the Top 20 launched with a watered down version of it. OWASP  
Guide 2.1 (which I am currently editing) provides clearer guidance on  
how to program in PHP safely as it's not entirely clear from PHP's  
website, and nor is it clear from many PHP "security" guides. I also  
recommend Chris' new book to all and sundry as it is *correct* in its  
approach to data validation and sanitization (which he calls filtering).

I would welcome any security professionals in an effort to talk to  
the PHP Development Team as a unified whole:

* Deploy PHP 6.0 in a secure way by default, as many hosters never  
tweak or change php.ini
* Allow scripts to *turn on* features they need by explicit use of  
set_ini() instead of just having them available to all scripts on the  
off-chance a script may need that functionality.
* Remove or disable features like allow_url_fopen and the PHP filters  
(madness) and substitute them with functions to do the same thing for  
those programs which actually need that functionality
* Since PHP 6 is Unicode by default - which will break many scripts,  
I'd like to see echo and printf() changed to be XSS safe by default,  
and have a echo_raw() printf_raw() for those few times you need to  
output HTML directly, or even better think about a Struts style tag  
language so that programmers are not tempted to write their own  
templating engine yet again
* Remove safe_mode and put in place a sandbox and security  
architecture a la Java VM's or .NET

Bugtraq is littered with the consequences of the PHP Development  
Team's extremely poor default choices and even poorer decisions about  
what constitutes "security" for PHP (see "safe" mode for an example).  
PHP must become a safer language by default, or it will be banned  
from hosters who cannot financially support their servers being  
trojan'd frequently by insecure software.

We can and should help the PHP project if they will take our counsel.

Thoughts?

thanks,
Andrew

On 30/12/2005, at 9:43 AM, Yasuo Ohgaki wrote:
> OWASP guideline may be better to be updated, since allow_url_fopen=off
> is not practical and allow_url_fopen=off does not provide good  
> enough safe guard.