Security IssuesGeneral Considerations• Security is a hot topic• Security discussions are full of jargon– Zero Day Exploit– Pen testing– Hacker– Pharming– Injection– malware– DOS• Serious issue, but lots of FUDStart by thinking about whereyou are exposedFilesystem• Multiuser systems– PHP codes executes as the web server, with theweb server's permissions– This means any file that you write via PHP mightbe writable by other users (either via PHP or aCGI program)– Any file that's readable by the web server isreadable by others via the web server, even if theserver won't serve them to a browser directly– Often web pages are world readableForms• You're also exposed whenever yourequest data from a user– A user may give you data you don't expector want– Depending on how your program handlesthe data, this can have a variety of results– Your data on the server could be affected– Other users' browsers could be affectedOther Vectors• This is an aside….• Services such as ssh and mysql– Firewalls– DMZ– Bind to different ip addresses• What you do from the server• Where the server is located--physicalsecurity is keyConsider where you want toput your security measures• For example, in this class I'm trustingyou all a lot, as a group, not to trashmachines• In MySQL, you can either use thedatabase to secure data, or PHP, orboth– Both is hard to do…• In some cases, restricting access to adomain is enough, in other ids arebetterBalance• Security is like a seesaw, with whitehatsand blackhats on the ends• What's the most secure OS?• Where is the threat coming from thesedays?Categories of Hacks• Data that is inserted into code that isdisplayed on your pages• Data that is inserted to alter your data• Holes that can be exploited to runarbitrary commandsDisplay Hacks• Targets are bulletin boards, blogs thatallow comments, wikis, web forums--anything that allows users to input textthat will be displayed• At best, you might get random stuffshowing up on your web pages• At worst, users could be "captured" andwhisked awayBuiltin Security• PHP does try to protect us, butsometimes that protection causes it'sown problems• I'm going to run through a series ofexamples, showing some simpleinsertion techniques, and theapproaches to stop themMagic Quotes• An example of trying to do good in a badway….In the Beginning• As PHP became more popular, attacksagainst it became more common (why wouldthis be the case?)• Around PHP 3, it was in widespread use, buthad very few security features out of the box• In particular, it did nothing to affect data inputby formsVersion 4.2.3• To make PHP safer, version 4.2.3 includedmagic quotes enabled by default• Magic quotes performs the same function asadd_slashes(), but only on any GET, POSTor cookie data--that is, it escapes any ',",\, orNULL characters, in an attempt to preventfolks from inserting command strings into php• It works ok, for what it's trying to do, but isn'ta complete solution…So how does it work?• Magic quotes will try to protect us a bit ifsomeone inserts something like:<b>Alert!</b><p>Your account has beencompromised, please <ahref="http://www.cs.unc.edu">click here forfurther information</a></p>echo_string_noslash.php• This file defeats magic quotes and echoes the$_GET["string"] var without alteration<b>Alert!</b><p>Your account has beencompromised, please<a href="http://www.cs.unc.edu">click here forfurther information</a></p>Calgon, take me away• One can also insert code that movesthe user from your site:<script type=text/javascript>window.location= "http://www.duke.edu";</script>With magic quotes• echo_string.php doesn't defeat magicquotes<b>Alert!</b><p>Your account has been compromised, please<a href=http://www.cs.unc.edu>click here for furtherinformation</a></p>Can't trust browsers anyhow• So with magic quotes if the hacker uses wellformed HTML, we're ok• But what if I put this in:• Or this:<img src=http://cutedeadthings.com/images/skull-pink-tm.png>• The browser is trying to be helpful…• Look at the sourceWe don't need no quotes• Even worse, we don't need quotes tocall for an external javascript• This means we can insert pretty muchanything we want into the page:<scriptsrc=http://127.0.0.1/INLS672/samples/php/security/javascript_hack.js></script>This last example• Cross site scripting (XSS) generallyinvolves getting data into a web formthat produces HTML for display, anduse that to call an external script toperform a malicious action• This is often done with javascript, butcan be done with other languages• Older versions of IE were prone toattack in this manner because ofActiveXAre Magic Quotes AGT?• Some say that magic quotes are bad– when enabled, it can make it more difficult toget the data you the way you want it– Produces a false sense of security, sinceprogrammers should check user data anyway• But it does protect against the most commonattacks such as insertion of javascript• But folks hated it enough that it's off in PHP 6• And that's the worst of it--if you want to writeportable code, you have to check for itDetecting and DefeatingMagic Quotes• This is not very efficient<?phpif (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST);}?> from http://us.php.net/manual/en/function.stripslashes.phpIt's up to you• For many samples of XSS attacks, see:http://ha.ckers.org/xss.htmlSimple Sanitation• In this case, we're going to usehtmlentities(), htmlspecialchars() andstrip_tabs() to affect the user's input• see echo_string_checks.html• Be aware that this is mainly a browserprotection…Blacklist vs. Whitelist• What we've looked at so far areexamples of blacklisting--trying to spotevil input• Whitelisting is more secure--figure outwhat you want, and only allow thatUsing regex• Decide what you're willing to accept• Check the user input for thatif (eregi("^[a-zA-Z0-9]{0,}$", $_GET['string'])) // The regex above checks every char starting with 0 { echo "String is: " . $_GET['string']; }else { echo "<p>Illegal