PHP SecurityPHP Security

Ryan DunnRyan DunnJason PackJason Pack

OutlineOutline

PHP OverviewPHP Overview Common Security IssuesCommon Security Issues Advanced Security IssuesAdvanced Security Issues Easiest Ways to Secure PHP?Easiest Ways to Secure PHP? ExamplesExamples

PHP OverviewPHP Overview Originally designed as a small set of Perl scripts Originally designed as a small set of Perl scripts

by Rasmus Lerdorf in 1994 by Rasmus Lerdorf in 1994

PHP is now a server-side, HTML-embedded, cross-PHP is now a server-side, HTML-embedded, cross-platform scripting language platform scripting language

The most deployed server-side scripting The most deployed server-side scripting language, running on around 9 of the 37 million language, running on around 9 of the 37 million domains in a April 2002 Netcraft survey. domains in a April 2002 Netcraft survey.

PHP's own figures show PHP usage (measured on PHP's own figures show PHP usage (measured on a per-domain basis) growing at around 5% per a per-domain basis) growing at around 5% per month. month.

PHP PopularityPHP Popularity

PHP Security OverviewPHP Security Overview PHP interpreter has PHP interpreter has

potential to access potential to access the entire hostthe entire host

By default, PHP By default, PHP makes all variables makes all variables globally accessible globally accessible by name, including by name, including session variables session variables and cookiesand cookies

Common Security IssuesCommon Security Issues GET vs. POSTGET vs. POST Buffer OverflowsBuffer Overflows SQL InjectionsSQL Injections Disabling PHP Error MessagesDisabling PHP Error Messages Validating the SessionValidating the Session Included Files ExtensionIncluded Files Extension Comments in HTML SourceComments in HTML Source

GET vs. POST (1)GET vs. POST (1) GET – data is passed by appending the GET – data is passed by appending the

variable/value pair to the URL variable/value pair to the URL • Truncated after 8,192 charactersTruncated after 8,192 characters• Even SSL will not encrypt dataEven SSL will not encrypt data

Raw HTTP Transmission:Raw HTTP Transmission:GET /process.php?yourname=fred+smith&email=fred@nowhere.com HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)Host: www.fluffygerbils.comConnection: keep-alive

GET vs. POST (2)GET vs. POST (2) POST – variables sent in body of URL POST – variables sent in body of URL

requestrequest• No size limitNo size limit• SSL SSL willwill encrypt the data encrypt the data

GET vs. POST (3)GET vs. POST (3) POST Raw HTTP Transmission:POST Raw HTTP Transmission:POST /process.php HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, */*Accept-Language: en-usContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)Host: www.fluffygerbils.comContent-Length: 94Pragma: no-cacheConnection: keep-alive

yourname=fred+smithemail=fred@nowhere.comcomment=I+have+no+comment

Buffer OverflowsBuffer Overflows No runtime memory allocationNo runtime memory allocation No pointersNo pointers Thus, no buffer overflows created by PHP Thus, no buffer overflows created by PHP

codecode

Overflows limited to PHP interpreter and Overflows limited to PHP interpreter and its extensionsits extensions

Stay on top of PHP updates to avoid issuesStay on top of PHP updates to avoid issues

SQL InjectionsSQL Injections PHP programmers often take user PHP programmers often take user

input directly to construct SQL queriesinput directly to construct SQL queries

Malicious users can exploit this by Malicious users can exploit this by entering “; malicious SQL code” in the entering “; malicious SQL code” in the $username field$username field

mysql_db_query ($DB, "SELECT something FROM table WHERE name=$username");

Disabling PHP Error MessagesDisabling PHP Error Messages

By default, PHP will dump error By default, PHP will dump error messages to the client’s browsermessages to the client’s browser

Error messages can contain sensitive Error messages can contain sensitive informationinformation

Validating the SessionValidating the Session

Store status variables as session Store status variables as session variable or a cookievariable or a cookie

Session variables are less likely to be Session variables are less likely to be compromised since they are stored compromised since they are stored on the serveron the server

Included Files ExtensionIncluded Files Extension A common PHP practice is to name A common PHP practice is to name

included files with the ‘.inc’ extensionincluded files with the ‘.inc’ extension Malicious users can access the entire Malicious users can access the entire

file’s content through a direct file’s content through a direct reference in the URLreference in the URL

Apache does not know to encode ‘.inc’ Apache does not know to encode ‘.inc’ files even though they are PHP files even though they are PHP scripts, so it displays it in plain textscripts, so it displays it in plain text

Comments in HTML SourceComments in HTML Source Commenting code is important, but Commenting code is important, but

beginning PHP programmers may put beginning PHP programmers may put sensitive information in their sensitive information in their comments for debugging purposescomments for debugging purposes

If placed improperly these comments If placed improperly these comments could be output in HTML source codecould be output in HTML source code

Advanced Security IssuesAdvanced Security Issues

SuperglobalsSuperglobals

Encrypted ScriptingEncrypted Scripting

Safe ModeSafe Mode

Superglobals (1)Superglobals (1) Superglobals are pre-defined arrays Superglobals are pre-defined arrays

that store variable/value pairsthat store variable/value pairs There are 9 different arraysThere are 9 different arrays

• $_GET[…]$_GET[…] $_SERVER[…] $_SERVER[…] • $_POST[…]$_POST[…] $_FILES[…] $_FILES[…] • $_COOKIE[…]$_COOKIE[…] $_ENV[…]$_ENV[…]• $_REQUEST[…]$_REQUEST[…] $_SESSION[…]$_SESSION[…]• $_GLOBAL[…] $_GLOBAL[…]

Superglobals (2)Superglobals (2) Superglobals are useful because you Superglobals are useful because you

know the value in the variable was know the value in the variable was obtained from a specific sourceobtained from a specific source

• For Example:For Example: $_POST[username] $_POST[username] vs.vs. $username$username

Encrypted ScriptingEncrypted Scripting It is possible to sniff the packets It is possible to sniff the packets

exchanged between the browser and exchanged between the browser and the serverthe server

PHP provides no method to encrypt PHP provides no method to encrypt the transmission of the data (but the the transmission of the data (but the data itself can be encrypted)data itself can be encrypted)

Installing SSL on Apache allows your Installing SSL on Apache allows your transmission to be encryptedtransmission to be encrypted

Safe ModeSafe Mode PHP safe mode makes it so that it PHP safe mode makes it so that it

can only execute scripts in a can only execute scripts in a restricted environmentrestricted environment• Execution of scripts is restricted to Execution of scripts is restricted to

defined directoriesdefined directories• Scripts cannot call programs outside Scripts cannot call programs outside

defined directoriesdefined directories Provides “damage control” if Provides “damage control” if

application is compromised application is compromised

Easiest Ways to Secure PHP?Easiest Ways to Secure PHP? NeverNever trust user input! trust user input! Look beyond application’s intended Look beyond application’s intended

useuse Stay current on PHP updates/syntaxStay current on PHP updates/syntax Be aware of PHP’s scopeBe aware of PHP’s scope

NEVER TRUST USER INPUT!!!NEVER TRUST USER INPUT!!!

ReferencesReferences http://www.oreilly.com/catalog/phppr/chapter/php_pkt.htmlhttp://www.oreilly.com/catalog/phppr/chapter/php_pkt.html

http://en.wikipedia.org/wiki/Phphttp://en.wikipedia.org/wiki/Php

http://www.faqs.org/docs/gazette/superglobals.htmlhttp://www.faqs.org/docs/gazette/superglobals.html

http://www.sklar.com/page/article/owasp-top-tenhttp://www.sklar.com/page/article/owasp-top-ten

http://www.developer.com/lang/print.php/918141 & /922871http://www.developer.com/lang/print.php/918141 & /922871

http://www.onlamp.com/lpt/a/4045http://www.onlamp.com/lpt/a/4045

http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/