Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.

Slides:

Advertisements

Similar presentations

Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK) Lecture 3 PHP (2) : Functions, User Defined Functions & Environment Variables.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

1 Chapter 12 Working With Access 2000 on the Internet.

PHP CSCE 330 February 6, 2003 Group Members: Antwan B. Phan George Hwang Luat Vu Programming Language Presentation.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

FILE UPLOADS CHAPTER 11. THE BASIC PROCESS 1.The HTML form displays the control to locate and upload a file 2.Upon form submission, the server first stores.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

Chapter 6: Hostile Code Guide to Computer Network Security.

 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.

Linux Operations and Administration

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

INTRODUCTION TO WEB DATABASE PROGRAMMING

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Computer Security and Penetration Testing

Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.

CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.

Chapter 8 Cookies And Security JavaScript, Third Edition.

Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

CSC 2720 Building Web Applications Server-side Scripting with PHP.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

PHP Open source language for server-side scripting Works well with many databases (e.g., MySQL) Files end in.php,.php3 or.phtml Runs on all major platforms.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.

David Lawrence 7/8/091Intro. to PHP -- David Lawrence.

הרצאה 4. עיבוד של דף אינטרנט דינמי מתוך Murach’s PHP and MySQL by Joel Murach and Ray Harris.  דף אינטרנט דינמי משתנה עפ " י הרצת קוד על השרת, יכול להשתנות.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.

Module: Software Engineering of Web Applications Chapter 2: Technologies 1.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

Since you’ll need a place for the user to enter a search query. Every form must have these basic components: – The submission type defined with the method.

PHP Security Ryan Dunn Jason Pack. Outline PHP Overview PHP Overview Common Security Issues Common Security Issues Advanced Security Issues Advanced Security.

Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)

Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Unit 4 Working with data. Form Element HTML forms are used to pass data to a server. A form can contain input elements like text fields, checkboxes, radio-buttons,

A S P. Outline  The introduction of ASP  Why we choose ASP  How ASP works  Basic syntax rule of ASP  ASP’S object model  Limitations of ASP  Summary.

The Common Gateway Interface (CGI) Pat Morin COMP2405.

Building Secure ColdFusion Applications

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Introduction to Dynamic Web Programming

World Wide Web policy.

DBW - PHP DBW2017.

Security mechanisms and vulnerabilities in .NET

PHP / MySQL Introduction

Lecture 5: Functions and Parameters

Presentation transcript:

Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger

About PHP  It is a server-side scripting language that facilitates the creation of dynamic Web pages by embedding PHP-coded logic in HTML documents  It combines many of the finest features of Perl, C, and Java, and adds its own elements  Its popularity as a server-side scripting language is only increasing  Security issues

PHP Security The way to secure PHP scripts is through a carefully selected combination of configuration settings and safe programming practices.

PHP Configuration - php.ini The configuration file (called php3.ini in PHP 3.0, and simply php.ini as of PHP 4.0) is read when PHP starts up. For the server module versions of PHP, this happens only once when the web server is started. For the CGI and CLI version, it happens on every invocation. Default location: /usr/local/lib/ Sample:

Install PHP in a secured manner – (1) safe_mode These options allows you to control which directories PHP scripts are allowed to access files from. By default PHP will allow a script to access a file from anywhere so it is recommended that is option be set. By predefining valid directories, data can be protected. safe_mode_exec_dir Setting this variable helps you in forceing PHP to only execute scripts from a specified directory. doc_root PHP will not serve files that are outside this directory while in safe mode.

Install PHP in a secured manner – (2) open_basedir, allow_url_fopen Thess options allows you to control which directories PHP scripts are allowed to access files from. By default PHP will allow a script to access a file from anywhere so it is recommended that is option be set. By predefining valid directories, data can be protected. max_execution_time This variable enables you to set a maximum execution time that a script can have. If a script runs longer than the allocated execution time, it will be terminated. This option will allow you to prevent attackers from tying up your web server with malicious scripts that could cause denial of service.

Install PHP in a secured manner – (3) memory_limit This allows you to control the maximum amount of memory that a script can use. Using this will help to prevent buffer overflows which may lead to more serious threats. upload_tmp_dir This designates where PHP will place files that are being uploaded. disable_functions This lists comma-separated names of functions that PHP will just ignore.

Install PHP in a secured manner – (4) safe_mode_allowed_env_vars It defines a list of prefixes that identify the names of the environment variables the user is allowed to change safe_mode_protected_env_vars The list given to this directive specifies names of environment variables that the user is not allowed to modify.

Secure PHP Programming Guidelines 1. Avoid Using Variables When Accessing Files // E.g. $page is a variable from the URL include($page); Functions to Check For: readfile, fopen, file, include, require Possible Fixes or Improvements: Replaced with a value defined by the PHP define function If you must really use a variable from the browser, validate the value Check the file name against a list of valid file names Don’t trust the global variables Use the allow_url_fopen and open_basedir configuration variables to limit the locations where files can be opened from.

Secure PHP Programming Guidelines 2. Do Not Trust Global Variables If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. What to Check For: (Pay careful attention to the following areas) - Authentication and permission checking code - Use of variables before they are initialized. - Use of variables designed to be set by GET or POST requests. Possible Fixes or Improvements: - Disable register_globals in your php.ini file and you need to use the $HTTP_GET_VARS and $HTTP_POST_VARS associative arrays - Ensure session variables really do come from the session - initialize all global variables - check that a global variable is not in the $HTTP_POST or $HTTP_GET associative arrays.

Secure PHP Programming Guidelines 3. Use the.php extension for all script files If use other extensions (such as.lib or.inc) are used, the contents of these files will be seen from browser, including any PHP code. This may reveal intellectual property, passwords or weaknesses in your code. What to Check For: Examine the file names of all script files. Possible Fixes or Improvements: - Use the.php extension for all script files - Place library and configuration files outside the web server's document root directory (use include_path in php.ini) - prevent all.inc files from being displayed (in Apache’s configuration file)

Secure PHP Programming Guidelines 4. Place sensitive content outside the document root directory Many PHP systems are designed to restrict access to documents or images through user authentication and access control lists. However, these documents are frequently stored as files in a subdirectory of the directory containing the PHP scripts. This makes these files available directly by using the appropriate URL in your browser. What to Check For: Examine the placement of directories used to store files containing privileged content. Possible Fixes or Improvements: - Store content as files in a directory outside the web server's document root directory. - Store content in a database - Use web server features such as Apache's.htaccess files to prevent direct access to content directories.

Secure PHP Programming Guidelines 5. Avoid or Validate User Input When Constructing Command Strings The most direct illustration of damage inflicted by un-validated user input is probably the execution of external programs with user-specified names or arguments. What to Check For: - eval, exec, passthru, system, popen - preg_replace (when used with the /e modifier this will treat the replacement parameter as PHP code). - `` (backticks - can be used to execute commands) Possible Fixes or Improvements: - Always validate User Input - redefine all environment variables that will be used in the script before using - Configuring PHP not to make external variables globally available

A Final Word on Security (by John Coggeshall)John Coggeshall  When writing a web application in PHP (or any application in any language), the single biggest thing that you can do to improve the security of your application is to keep potential security implications in mind. Are you using system calls? What are you doing to protect them from being taken advantage of? How will your application respond to invalid user input? What precautions are you taking to filter user input? You should ask yourself all of these questions as you develop.

Some PHP Security Resources URLs        