There's my draft list of the top ten PHP security issues. As you can see,
there's only nine right now. I've ranked them based on how readily the
vulnerability can be exploited. This is the reason why the client-side
scripting vulnerabilities are listed 2, 3, and 4, while SQL injection is
listed 7. Listed as number 1 is the arguably the lamest mistake in all
web-programming: pulling information from the database based on a
primary-key passed through the URL without any kind of access check. Because
even someone with no programming knowledge can take advantage of this hole,
it takes the top spot.
[drum roll]
1. Revealing private information without access check
2. Displaying user-provided text without escaping HTML special
characters
3. Allowing users to supply a URL for an image
4. Processing form data without checking the page referrer
5. Copying an uploaded file into a web-accessible directory
6. Using a GET/POST variable as parameter to include/require
7. Inserting GET/POST variables into SQL statements without validation
8. Using session_registe r() with sensitive variables
9. Performing restricted operations in the global scope of an include
file
The use of register_global s is not on the list, as the potential problems
are effectively covered by item 6, 7, 8, and 9 (or so I think).
I'll write up a more detailed description for each of these, along with
possible solutions, and post it somewhere on the net. Hopefully it'll be
interesting reading for beginners to the language. Thanks to all who
participated in the original thread. Additional comments are definitely
welcomed.
Jul 17 '05
12 2251
Chung Leong writes: Uzytkownik "Alex Farran" <al**@alexfarra n.com> napisal w wiadomosci news:m3******** ****@alexfarran .com...
DOM/Javascript security operates on a simple premise: content on a page at a site is only accessible to scripts originating from the same site. When the user click on a link and go from say www.paradiso.org to www.inferno.com, scripts at www.inferno.com do not have access to any thing--including the hidden number in question--at www.paradiso.org. This is true even if Interno loads Paradiso in an inframe.
You're absolutely right. I'd forgotten that. Your scheme with the
unique numbers will work then.
Both your scheme and mine fall apart if the user opens new windows. The best check is still the page referrer. Does anyone know if firewalls block all referer headers or only absolute ones?
My scheme will only allow the user to interact with the site through
one window, that's true, but yours could be adapted to work with more
than one window. Instead of holding just one number in the session,
hold an array of all numbers sent. When a form is submitted search
for its number in the array, and if it's found accept the form and
delete the number from the array. That way every form can be
submitted exactly once, and only by person it was presented to.
Actually I think my scheme could be adapted similarly, but it would
still be restrictive compared to yours.
What we really need is a special kind of cookie (brownie?) that doesn't get sent if the originating page isn't its creator.
I don't think we do now.
--
__o Alex Farran
_`\<,_ Analyst / Programmer
(_)/ (_) www.alexfarran.com
Uzytkownik "Alex Farran" <al**@alexfarra n.com> napisal w wiadomosci
news:m3******** ****@alexfarran .com... My scheme will only allow the user to interact with the site through one window, that's true, but yours could be adapted to work with more than one window. Instead of holding just one number in the session, hold an array of all numbers sent. When a form is submitted search for its number in the array, and if it's found accept the form and delete the number from the array. That way every form can be submitted exactly once, and only by person it was presented to.
That should work. If there's only a way to implement that without having to
modify every form... All I can think of is appending some JavaScript code at
the bottom of the page that inserts the hidden field dynamically. Not very
reliable.
--
__o Alex Farran _`\<,_ Analyst / Programmer (_)/ (_) www.alexfarran.com
On Thu, 12 Feb 2004 19:10:55 -0500, Chung Leong wrote: Uzytkownik "Ian.H" <ia*@WINDOZEdig iserv.net> napisal w wiadomosci news:pa******** *************** *****@hybris.di giserv.net... Hmm.. and if someone's "firewall" (we're talking windoze here) blocks / changes the referrer as part of it's "user privacy / security setting"? Agnitum Outpost for example can block the referrer by replacing it with '**BLOCKED BY OUTPOST**' or something. Hmmm...Interest ing. I didn't know firewalls does that.
Seems to be some of the "security suites" for windoze have this feature
built in.
OTOH, although I haven't actually done it with PHP, I have set a page
referrer heading in a console Perl script using LWP. Could easily be made
into a "legitimate referrer".. ie: one that's expected by the site. I know you're not suggesting _just_ using the referrer for validation, but IMO, the referrer header is next to useless for any consideration. Agreed, people are unlikely to want to try and hijack their own account, but they may do this as a matter of course (blocking the referrer header) and thus the system would fall over for IMO, a "false-positive".
Well, I don't know how else you can stop the cross-site scripting vulnerability in question, because there is no other distinction between a legitimate POST request and a malious one originating from a different site from the HTTP referrer. We can perhaps work around the firewall/proxy issue by rejecting only requests where there is a valid URL and it's not a page on the local server.
[ snip ]
I share your thoughts on this.. but with my LWP description above.. the
firewall / proxy check wouldn't come into play either, as the referrer
would infact be the required one. Definitely an interesting scenario you
have outlined in this thread =)
Regards,
Ian
--
Ian.H
digiServ Network
London, UK http://digiserv.net/ This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Chris Mosser |
last post by:
I'm still somewhat new with php, only able to play with it now and again.
Anyway, I was recently sent an email about poss security flaws, not in php
itself but in my code on a site that I am working on. Here is a list of
security issues that poss exist and I'm just looking for other ways to
improve the overall security of the site.
*transactions
this site accepts transactions through IBILL. I need a way to validate
that after the...
|
by: grahamd |
last post by:
Who are the appropriate people to report security problems to
in respect of a module included with the Python distribution?
I don't feel it appropriate to be reporting it on general mailing
lists.
|
by: Angelos Karantzalis |
last post by:
Is there a way to set Permissions based on user roles by using some
configuration file for my application ?
I'm coming from a Java background, where that could very easily be
accomplished but although I've searched around MSDN I can't find a clear
answer to this ...
Thanks a lot guys,
Angel
|
by: Antony |
last post by:
I am currently writing an application (VB.NET) and I was thinking about all
the hype that seems to be given to security and if I should pay it any
attention or not.
My first thought was, nah, no need to worry about security because my app
will not include WEB services, thus won't be hosted, thus should not be
vulnerable for attack.
But then I thought, what happens if some hacker gets into a machine where my
app is running, finds a DLL...
|
by: Z D |
last post by:
Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions or
just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each 'object'
would be: View/Edit/Read/Write.
| |
by: chuckdfoster |
last post by:
I am developing an ASP.NET site where an site administrator can upload files
via ASP.NET into a Documents folder. These documents are then viewed by
site users. I used the MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;323245 to learn how
to do this.
Is there a security issue with this. If you are giving the ASPNET account
Read & Execute, List Folder Contents, Read, and Write permissions, then
could they not...
|
by: nancy |
last post by:
I am new to PHP but have done other programming
can someone please hold my hand and slowly talk me through some simple
security issues?
I have seen in PHP documents that there are 'strip slashes' commands and
so on but I dont understand where the security issues actually are.
i am writing some scripts that will shell out and call different linux
shell programs such as 'ls' or 'grep' or 'sed' and so on and possibly
update a 'mysql'...
|
by: Andrew Poulos |
last post by:
I don't have IE 7 but is it true that IE 7 prevents javascript from
playing audio without the user first responding positively to a dialog box?
I have an elearning app that uses audio which is controlled by a simple
player. I know it would annoy the client if the user had to click a
'play' button and then also click 'yes' in a dialog box.
Andrew Poulos
|
by: Ken Fine |
last post by:
I want to add the security question and answer security feature to the
ChangePassword control. I am aware that this functionality is built into the
PasswordRecovery tool. I have implemented the PasswordRecovery with a
Password reset required; a temporary password is sent to the account on
file. I want an extra layer of security to accommodate the very unlikely
contingency that someone's e-mail account is compromised. Challenging with
the...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| | |