PHP Vulnerabilities in Web Servers http://www.cse.wustl.edu/~jain/cse571-07/ftp/php/1 of 18 12/19/2007 5:14 PMPHP Vulnerabilities in Web ServersWritten By: David K. Liefer Steven K. Ziegler Abstract:The Internet has grown to be hugely popular and used by people of all different backgrounds and professions.Individual web pages are created by just about everyone whether or not they have any developmentexperience or not. PHP (PHP: Hypertext Preprocessor) is one of the more popular scripting languages used bybeginners and advanced users. It is an attractive alternative to Java for the novice user but little do they knowthere are some frightening vulnerabilities that can be exploited by clients looking to cause problems or gainaccess to private information or resources that cannot be tied to them. A few of these exploits include remoteand local file inclusion or execution. Through these basics types of vulnerabilities a malicious client couldgain complete access to a web server. To avoid these attacks a web developer needs to take care when writingPHP scripts. The most common mistake made by developers is to unknowingly expose internal variables toclients or when access is needed not properly sanitizing them to ensure the values make sense for the contextin which they are being used. If un-sanitized variables are used in conjunction with certain PHP function callsprivate files can be accessed or remote files can be uploaded and executed. A few of the more dangerous PHPfunctions calls are _GET[] or passthru(). These functions need to be used with care or disabled by the systemadministrator to avoid problems with badly written PHP scripts. To aid in the detection of potentialvulnerabilities the authors of this paper implemented a Vulnerability Detection Tool (VDT). The tool is a javabased program which takes a set of user defined rules then uses these rules to parse through the contents ofevery file in a web development directory. If a defined rule is violated a report giving the filename, linenumber, and severity is displayed in the progress window of the GUI. Readers are encouraged to evaluate thetool, provide feedback to the authors, and when so motivated submit improvements to the tool.Table of Contents:1. Introduction2. Background2.1 PHP2.2 Apache Web Server3. Investigating PHP Vulnerabilities3.1 PHP Script Vulnerabilities3.1.1 Local Vulnerabilities3.1.2 Remote Vulnerabilities3.2 Vulnerabilities Caused by PHP Configuration3.3 Other Vulnerabilities4. Vulnerability Detection Tool4.1 Basic Tool Design Considerations4.1.1 Portability4.1.2 Syntactical DifferencesPHP Vulnerabilities in Web Servers http://www.cse.wustl.edu/~jain/cse571-07/ftp/php/2 of 18 12/19/2007 5:14 PM4.1.3 Flexibility to Include New Vulnerabilities4.2 Tool Requirements, Installation, and Start-Up4.3 VDT User Manual4.3.1 Specification of HTML Directory and Configuration File4.3.2 Search Rule Settings4.3.3 Configuration Rule Settings5. Summary6. ReferencesDownload VDTAcronyms1. IntroductionIn the early days of the Internet most web development was done by professionals. Since then an array of web development tools, several scripting languages, and easily configurable web server software has made it easierfor the novice to create and host their own website's. One of the more popular scripting languages is PHP. Ithas a significant user base and thousands of free scripts can be found all over the internet to perform all kindsof useful functions. It is an attractive alternative to Java for the novice user but little do they know there aresome frightening vulnerabilities that can exploited by clients looking to cause problems or gain access toprivate information or resources that cannot be tied to them. In this paper, the basics behind the PHP scriptinglanguage and Apache web server architecture will be outlined. The latter mainly to understand how requestsand data get forwarded from the web server to the underlining PHP module for interpretation and then passedback to the web server core where it is sent to the client requesting the information. Any web server couldhave been used for this paper, but the Apache web server was chosen dues to its popularity and availability asan open source product. Next, an investigation of the various PHP vulnerabilities will be conducted to providereaders with information that will help them write PHP scripts that are not easily exploited. To help find thesevulnerabilities in website source code the writers of this paper have created a simple yet flexible tool that willrecursively check selected directories for files with certain extensions to see if they have violated any of the predefined or user defined rules. When a rule is violated the severity is reported along with the filename andline number. The tool is aptly named the Vulnerability Detection Tool and its design and use is also outlinedin this paper.2. BackgroundThe subject of this paper is to find PHP vulnerabilities in web servers. The web server we chose to use for this project is Apache, which is an open source product produced by the Apache Software Foundation. A littlebackground information on PHP and the Apache Web server is probably warranted.2.1 PHPThe roots of PHP are quite simple and originate with one man. His name was Rasmus Lerdorf and in 1995 he wrote a simple set of Perl scripts to track accesses of his online resume. He named these scripts "PersonalHome Page Tools". Over time the size and number of Perl scripts got rather large and it was clear that animplementation in a standard programming language would be required to make it more scalable and easier tomaintain. He chose the C programming language and made the application and source available to everyone.PHP Vulnerabilities in Web Servers http://www.cse.wustl.edu/~jain/cse571-07/ftp/php/3 of 18 12/19/2007 5:14 PMHe called the application "Personal Home Page / Forms Interpreter" or PHP/FI. The new implementation gaveusers the ability to communicate with databases and make simple dynamic web applications. Over the years,PHP/FI became quite popular and in 1997 the second version of PHP/FI was released. This versionincorporated fixes and enhancements from the user community. The official release date for PHP/FI 2.0 wasNovember 1997 but its life would be short lived because PHP/FI would receive a major overhaul and namechange from some new developers.A couple of students attempted to use PHP/FI for a university project but realized PHP/FI was not powerful enough