PHP Security Ryan Dunn Jason Pack

Outline PHP Overview PHP Overview Common Security Issues Common Security Issues Advanced Security Issues Advanced Security Issues Easiest Ways to Secure PHP? Easiest Ways to Secure PHP? Examples Examples

PHP Overview Originally designed as a small set of Perl scripts by Rasmus Lerdorf in 1994 Originally designed as a small set of Perl scripts by Rasmus Lerdorf in 1994 PHP is now a server-side, HTML-embedded, cross-platform scripting language PHP is now a server-side, HTML-embedded, cross-platform scripting language The most deployed server-side scripting language, running on around 9 of the 37 million domains in a April 2002 Netcraft survey. The most deployed server-side scripting language, running on around 9 of the 37 million domains in a April 2002 Netcraft survey. PHP's own figures show PHP usage (measured on a per-domain basis) growing at around 5% per month. PHP's own figures show PHP usage (measured on a per-domain basis) growing at around 5% per month.

PHP Popularity

PHP Security Overview PHP interpreter has potential to access the entire host PHP interpreter has potential to access the entire host By default, PHP makes all variables globally accessible by name, including session variables and cookies By default, PHP makes all variables globally accessible by name, including session variables and cookies

Common Security Issues GET vs. POST GET vs. POST Buffer Overflows Buffer Overflows SQL Injections SQL Injections Disabling PHP Error Messages Disabling PHP Error Messages Validating the Session Validating the Session Included Files Extension Included Files Extension Comments in HTML Source Comments in HTML Source

GET vs. POST (1) GET – data is passed by appending the variable/value pair to the URL GET – data is passed by appending the variable/value pair to the URL Truncated after 8,192 charactersTruncated after 8,192 characters Even SSL will not encrypt dataEven SSL will not encrypt data Raw HTTP Transmission: Raw HTTP Transmission: GET HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) Host: Connection: keep-alive

GET vs. POST (2) POST – variables sent in body of URL request POST – variables sent in body of URL request No size limitNo size limit SSL will encrypt the dataSSL will encrypt the data

GET vs. POST (3) POST Raw HTTP Transmission: POST Raw HTTP Transmission: POST /process.php HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, */* Accept-Language: en-us Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) Host: Content-Length: 94 Pragma: no-cache Connection: keep-alive yourname=fred+smith comment=I+have+no+comment

Buffer Overflows No runtime memory allocation No runtime memory allocation No pointers No pointers Thus, no buffer overflows created by PHP code Thus, no buffer overflows created by PHP code Overflows limited to PHP interpreter and its extensions Overflows limited to PHP interpreter and its extensions Stay on top of PHP updates to avoid issues Stay on top of PHP updates to avoid issues

SQL Injections PHP programmers often take user input directly to construct SQL queries PHP programmers often take user input directly to construct SQL queries Malicious users can exploit this by entering “; malicious SQL code” in the $username field Malicious users can exploit this by entering “; malicious SQL code” in the $username field mysql_db_query ($DB, "SELECT something FROM table WHERE name=$username");

Disabling PHP Error Messages By default, PHP will dump error messages to the client’s browser By default, PHP will dump error messages to the client’s browser Error messages can contain sensitive information Error messages can contain sensitive information

Validating the Session Store status variables as session variable or a cookie Store status variables as session variable or a cookie Session variables are less likely to be compromised since they are stored on the server Session variables are less likely to be compromised since they are stored on the server

Included Files Extension A common PHP practice is to name included files with the ‘.inc’ extension A common PHP practice is to name included files with the ‘.inc’ extension Malicious users can access the entire file’s content through a direct reference in the URL Malicious users can access the entire file’s content through a direct reference in the URL Apache does not know to encode ‘.inc’ files even though they are PHP scripts, so it displays it in plain text Apache does not know to encode ‘.inc’ files even though they are PHP scripts, so it displays it in plain text

Comments in HTML Source Commenting code is important, but beginning PHP programmers may put sensitive information in their comments for debugging purposes Commenting code is important, but beginning PHP programmers may put sensitive information in their comments for debugging purposes If placed improperly these comments could be output in HTML source code If placed improperly these comments could be output in HTML source code

Advanced Security Issues Superglobals Superglobals Encrypted Scripting Encrypted Scripting Safe Mode Safe Mode

Superglobals (1) Superglobals are pre-defined arrays that store variable/value pairs Superglobals are pre-defined arrays that store variable/value pairs There are 9 different arrays There are 9 different arrays $_GET[…] $_SERVER[…]$_GET[…] $_SERVER[…] $_POST[…]$_FILES[…]$_POST[…]$_FILES[…] $_COOKIE[…]$_ENV[…]$_COOKIE[…]$_ENV[…] $_REQUEST[…]$_SESSION[…]$_REQUEST[…]$_SESSION[…] $_GLOBAL[…]$_GLOBAL[…]

Superglobals (2) Superglobals are useful because you know the value in the variable was obtained from a specific source Superglobals are useful because you know the value in the variable was obtained from a specific source For Example:For Example: $_POST[username] $_POST[username] vs. vs. $username $username

Encrypted Scripting It is possible to sniff the packets exchanged between the browser and the server It is possible to sniff the packets exchanged between the browser and the server PHP provides no method to encrypt the transmission of the data (but the data itself can be encrypted) PHP provides no method to encrypt the transmission of the data (but the data itself can be encrypted) Installing SSL on Apache allows your transmission to be encrypted Installing SSL on Apache allows your transmission to be encrypted

Safe Mode PHP safe mode makes it so that it can only execute scripts in a restricted environment PHP safe mode makes it so that it can only execute scripts in a restricted environment Execution of scripts is restricted to defined directoriesExecution of scripts is restricted to defined directories Scripts cannot call programs outside defined directoriesScripts cannot call programs outside defined directories Provides “damage control” if application is compromised Provides “damage control” if application is compromised

Easiest Ways to Secure PHP? Never trust user input! Never trust user input! Look beyond application’s intended use Look beyond application’s intended use Stay current on PHP updates/syntax Stay current on PHP updates/syntax Be aware of PHP’s scope Be aware of PHP’s scope NEVER TRUST USER INPUT!!! NEVER TRUST USER INPUT!!!

References & / & /