Sep 08

PHP Code Security Part 6

By jason PHP World 2 Comments »
Magic Quotes:

What are Magic Quotes:

Magic Quotes is a process that automagically escapes incoming data to the PHP script. It’s preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

Why did we use Magic Quotes:

There is no reason to use magic quotes because they are no longer a supported part of PHP. However, they did exist and did help a few beginners blissfully and unknowingly write better (more secure) code. But, when dealing with code that relies upon this behavior it’s better to update the code instead of turning magic quotes on. So why did this feature exist? Simple, to help prevent SQL Injection. Today developers are better aware of security and end up using database specific escaping mechanisms and/or prepared statements instead of relying upon features like magical quotes.

Why not to use Magic Quotes:

  • Portability Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
  • Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
  • Inconvenience Because not all data needs escaping, it’s often annoying to see escaped data where it shouldn’t be. For example, emailing from a form, and seeing a bunch of \’ within the email. To fix, this may require excessive use of stripslashes().
    • Disabling Magic Quotes:

    The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.

    Example #1 Disabling magic quotes server side

    An example that sets the value of these directives to Off in php.ini. For additional details, read the manual section titled How to change configuration settings.

    ; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ‘ with ” instead of \’). magic_quotes_sybase = Off

    If access to the server configuration is unavailable, use of .htaccess is also an option. For example: 

    php_flag magic_quotes_gpc Off

    In the interest of writing portable code (code that works in any environment), like if setting at the server level is not possible, here’s an example to disable magic_quotes_gpc at runtime. This method is inefficient so it’s preferred to instead set the appropriate directives elsewhere.

    Example #2 Disabling magic quotes at runtime

    <?php

    if (get_magic_quotes_gpc()) {

        function stripslashes_deep($value)

        {

    $value = is_array($value) ?

    array_map('stripslashes_deep', $value) :

    stripslashes($value);

            return $value;

        }

    $_POST = array_map('stripslashes_deep', $_POST);

    $_GET = array_map('stripslashes_deep', $_GET);

    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);

    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);

    }

    ?>

    Tagged with:
    Aug 31

    PHP Code Security Part 5

    By jason PHP World No Comments »
    User Submitted Data

    The greatest weakness in many PHP programs is not inherent in the language itself, but merely an issue of code not being written with security in mind. For this reason, you should always take the time to consider the implications of a given piece of code, to ascertain the possible damage if an unexpected variable is submitted to it.

    Example 1 Dangerous Variable Usage

    <?php
    // remove a file from the user's home directory... or maybe
    // somebody else's?
    unlink ($evil_var);
    // Write logging of their access... or maybe an /etc/passwd entry?
    fwrite ($fp, $evil_var);
    // Execute something trivial.. or rm -rf *?
    system ($evil_var);
    exec ($evil_var);
    ?>

    You should always carefully examine your code to make sure that any variables being submitted from a web browser are being properly checked, and ask yourself the following questions:

    • Will this script only affect the intended files?
    • Can unusual or undesirable data be acted upon?
    • Can this script be used in unintended ways?
    • Can this be used in conjunction with other scripts in a negative manner?
    • Will any transactions be adequately logged?

    By adequately asking these questions while writing the script, rather than later, you prevent an unfortunate re-write when you need to increase your security. By starting out with this mindset, you won’t guarantee the security of your system, but you can help improve it.

    You may also want to consider turning off register_globals, magic_quotes, or other convenience settings which may confuse you as to the validity, source, or value of a given variable. Working with PHP in error_reporting(E_ALL) mode can also help warn you about variables being used before they are checked or initialized (so you can prevent unusual data from being operated upon).

    Tagged with:
    Aug 31

    PHP Code Security Part 4

    By jason PHP World No Comments »

    Using Register Globals

    Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP » 4.2.0. Reliance on this directive was quite common and many people didn’t even know it existed and assumed it’s just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn’t insecure but rather it’s the misuse of it.

    When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn’t require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don’t know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let’s demonstrate with an example misuse of register_globals:

    Example 1 Example misuse with register_globals = on

    <?php
    // define $authorized = true only if user is authenticated
    if (authenticated_user()) {
    $authorized = true;
    }
    // Because we didn't first initialize $authorized as false, this might be
    // defined through register_globals, like from GET auth.php?authorized=1
    // So, anyone can be seen as authenticated!
    if ($authorized) {
        include "/highly/sensitive/data.php";
    }
    ?>

    When register_globals = on, our logic above may be compromised. When off, $authorized can’t be set via request so it’ll be fine, although it really is generally a good programming practice to initialize variables first. For example, in our example above we might have first done $authorized = false. Doing this first means our above code would work with register_globals on or off as users by default would be unauthorized.

    Another example is that of sessions. When register_globals = on, we could also use $username in our example below but again you must realize that $username could also come from other means, such as GET (through the URL).

    Example 2 Example use of sessions with register_globals on or off

    <?php
    // We wouldn't know where $username came from but do know $_SESSION is
    // for session data
    if (isset($_SESSION['username'])) {
        echo "Hello <b>{$_SESSION['username']}</b>";
    } else {
        echo "Hello <b>Guest</b><br />";
        echo "Would you like to login?";
    }
    ?>

    It’s even possible to take preventative measures to warn when forging is being attempted. If you know ahead of time exactly where a variable should be coming from, you can check to see if the submitted data is coming from an inappropriate kind of submission. While it doesn’t guarantee that data has not been forged, it does require an attacker to guess the right kind of forging. If you don’t care where the request data comes from, you can use $_REQUEST as it contains a mix of GET, POST and COOKIE data. See also the manual section on using variables from external sources.

    Example #3 Detecting simple variable poisoning

    <?php
    if (isset($_COOKIE['MAGIC_COOKIE'])) {
    // MAGIC_COOKIE comes from a cookie.
        // Be sure to validate the cookie data!
    } elseif (isset($_GET['MAGIC_COOKIE']) || isset($_POST['MAGIC_COOKIE'])) {
    mail("admin@example.com", "Possible breakin attempt", $_SERVER['REMOTE_ADDR']);
       echo "Security violation, admin has been alerted.";
       exit;
    } else {
    // MAGIC_COOKIE isn't set through this REQUEST
    }
    ?>

    Of course, simply turning off register_globals does not mean your code is secure. For every piece of data that is submitted, it should also be checked in other ways. Always validate your user data and initialize your variables! To check for uninitialized variables you may turn up error_reporting() to show E_NOTICE level errors.

    For information about emulating register_globals being On or Off

    Tagged with:
    Aug 28

    PHP Code Security Part 3

    By jason PHP World No Comments »

    Error Reporting

    With PHP security, there are two sides to error reporting. One is beneficial to increasing security, the other is detrimental.

    A standard attack tactic involves profiling a system by feeding it improper data, and checking for the kinds, and contexts, of the errors which are returned. This allows the system cracker to probe for information about the server, to determine possible weaknesses. For example, if an attacker had gleaned information about a page based on a prior form submission, they may attempt to override variables, or modify them:

    Example 1 Attacking Variables with a custom HTML page

    <form method="post" action="attacktarget?username=badfoo&amp;password=badfoo"> <input type="hidden" name="username" value="badfoo" /> <input type="hidden" name="password" value="badfoo" /> </form>

    The PHP errors which are normally returned can be quite helpful to a developer who is trying to debug a script, indicating such things as the function or file that failed, the PHP file it failed in, and the line number which the failure occurred in. This is all information that can be exploited. It is not uncommon for a php developer to use show_source(), highlight_string(), or highlight_file() as a debugging measure, but in a live site, this can expose hidden variables, unchecked syntax, and other dangerous information. Especially dangerous is running code from known sources with built-in debugging handlers, or using common debugging techniques. If the attacker can determine what general technique you are using, they may try to brute-force a page, by sending various common debugging strings:

    Example 2 Exploiting common debugging variables

    <form method="post" action="attacktarget?errors=Y&amp;showerrors=1&amp;debug=1"> <input type="hidden" name="errors" value="Y" /> <input type="hidden" name="showerrors" value="1" /> <input type="hidden" name="debug" value="1" /> </form>

    Regardless of the method of error handling, the ability to probe a system for errors leads to providing an attacker with more information.

    For example, the very style of a generic PHP error indicates a system is running PHP. If the attacker was looking at an .html page, and wanted to probe for the back-end (to look for known weaknesses in the system), by feeding it the wrong data they may be able to determine that a system was built with PHP.

    A function error can indicate whether a system may be running a specific database engine, or give clues as to how a web page or programmed or designed. This allows for deeper investigation into open database ports, or to look for specific bugs or weaknesses in a web page. By feeding different pieces of bad data, for example, an attacker can determine the order of authentication in a script, (from the line number errors) as well as probe for exploits that may be exploited in different locations in the script.

    A filesystem or general PHP error can indicate what permissions the web server has, as well as the structure and organization of files on the web server. Developer written error code can aggravate this problem, leading to easy exploitation of formerly "hidden" information.

    There are three major solutions to this issue. The first is to scrutinize all functions, and attempt to compensate for the bulk of the errors. The second is to disable error reporting entirely on the running code. The third is to use PHP’s custom error handling functions to create your own error handler. Depending on your security policy, you may find all three to be applicable to your situation.

    One way of catching this issue ahead of time is to make use of PHP’s own error_reporting(), to help you secure your code and find variable usage that may be dangerous. By testing your code, prior to deployment, with E_ALL, you can quickly find areas where your variables may be open to poisoning or modification in other ways. Once you are ready for deployment, you should either disable error reporting completely by setting error_reporting() to 0, or turn off the error display using the php.ini option display_errors, to insulate your code from probing. If you choose to do the latter, you should also define the path to your log file using the error_log ini directive, and turn log_errors on.

    Example 3 Finding dangerous variables with E_ALL

    <?php
    if ($username) {  // Not initialized or checked before usage
    $good_login = 1;
    }
    if ($good_login == 1) { // If above test fails, not initialized or checked before usage
    readfile ("/highly/sensitive/data/index.html");
    }
    ?>

    Tagged with:
    Aug 27

    PHP Code Security Part 2

    By jason PHP World No Comments »

    SQL Injection
    Many web developers are unaware of how SQL queries can be tampered with, and assume that an SQL query is a trusted command. It means that SQL queries are able to circumvent access controls, thereby bypassing standard authentication and authorization checks, and sometimes SQL queries even may allow access to host operating system level commands.

    Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build a SQL query. The following examples are based on true stories, unfortunately.

    Owing to the lack of input validation and connecting to the database on behalf of a superuser or the one who can create users, the attacker may create a superuser in your database.

    Example 1:

    <?php
    $offset = $argv[0]; // beware, no input validation!
    $query  = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;";
    $result = pg_query($conn, $query);
    ?>

    Normal users click on the ‘next’, ‘prev’ links where the $offset is encoded into the URL. The script expects that the incoming $offset is a decimal number. However, what if someone tries to break in by appending a urlencode()’d form of the following to the URL

    0; insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd) select ‘crack’, usesysid, ‘t’,'t’,'crack’ from pg_shadow where usename=’postgres’; –

    If it happened, then the script would present a superuser access to him. Note that 0; is to supply a valid offset to the original query and to terminate it.

    Note: It is common technique to force the SQL parser to ignore the rest of the query written by the developer with which is the comment sign in SQL.

    A feasible way to gain passwords is to circumvent your search result pages. The only thing the attacker needs to do is to see if there are any submitted variables used in SQL statements which are not handled properly. These filters can be set commonly in a preceding form to customize WHERE, ORDER BY, LIMIT and OFFSET clauses in SELECT statements. If your database supports the UNION construct, the attacker may try to append an entire query to the original one to list passwords from an arbitrary table. Using encrypted password fields is strongly encouraged.

    Example 2:

    <?php
    $query  = "SELECT id, name, inserted, size FROM products
                      WHERE size = '$size'
                      ORDER BY $order LIMIT $limit, $offset;";
    $result = odbc_exec($conn, $query);
    ?>

    The static part of the query can be combined with another SELECT statement which reveals all passwords:

    ‘ union select ‘1′, concat(uname||’-'||passwd) as name, ‘1971-01-01′, ‘0′ from usertable; –

    If this query (playing with the and ) were assigned to one of the variables used in $query, the query beast awakened.

    SQL UPDATE’s are also susceptible to attack. These queries are also threatened by chopping and appending an entirely new query to it. But the attacker might fiddle with the SET clause. In this case some schema information must be possessed to manipulate the query successfully. This can be acquired by examining the form variable names, or just simply brute forcing. There are not so many naming conventions for fields storing passwords or usernames.

    Example 3:

    <?php
    $query = "UPDATE usertable SET pwd='$pwd' WHERE uid='$uid';";
    ?>

    But a malicious user sumbits the value ‘ or uid like’%admin%’; – to $uid to change the admin’s password, or simply sets $pwd to "hehehe’, admin=’yes’, trusted=100 " (with a trailing space) to gain more privileges. Then, the query will be twisted:

    <?php
    // $uid == ' or uid like'%admin%'; --
    $query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%'; --";
    // $pwd == "hehehe', admin='yes', trusted=100 "
    $query = "UPDATE usertable SET pwd='hehehe', admin='yes', trusted=100 WHERE
    ...;";
    ?>

    A frightening example how operating system level commands can be accessed on some database hosts.

    Example 4:

    <?php
    $query  = "SELECT * FROM products WHERE id LIKE '%$prod%'";
    $result = mssql_query($query);
    ?>

    If attacker submits the value a%’ exec master..xp_cmdshell ‘net user test testpass /ADD’ – to $prod, then the $query will be:

    <?php
    $query  = "SELECT * FROM products
                        WHERE id LIKE '%a%'
                        exec master..xp_cmdshell 'net user test testpass /ADD'--";
    $result = mssql_query($query);
    ?>

    MSSQL Server executes the SQL statements in the batch including a command to add a new user to the local accounts database. If this application were running as sa and the MSSQLSERVER service is running with sufficient privileges, the attacker would now have an account with which to access this machine.

    Note: Some of the examples above is tied to a specific database server. This does not mean that a similar attack is impossible against other products. Your database server may be similarly vulnerable in another manner.

    Avoiding techniques

    You may plead that the attacker must possess a piece of information about the database schema in most examples. You are right, but you never know when and how it can be taken out, and if it happens, your database may be exposed. If you are using an open source, or publicly available database handling package, which may belong to a content management system or forum, the intruders easily produce a copy of a piece of your code. It may be also a security risk if it is a poorly designed one.

    These attacks are mainly based on exploiting the code not being written with security in mind. Never trust any kind of input, especially that which comes from the client side, even though it comes from a select box, a hidden input field or a cookie. The first example shows that such a blameless query can cause disasters.

  • Never connect to the database as a superuser or as the database owner. Use always customized users with very limited privileges.
  • Check if the given input has the expected data type. PHP has a wide range of input validating functions, from the simplest ones found in Variable Functions and in Character Type Functions (e.g. is_numeric(), ctype_digit() respectively) and onwards to the Perl compatible Regular Expressions support.

  • If the application waits for numerical input, consider verifying data with is_numeric(), or silently change its type using settype(), or use its numeric representation by sprintf().

    • Example 5:

    <?php
    settype($offset, 'integer');
    $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;";
    // please note %d in the format string, using %s would be meaningless
    $query = sprintf("SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;",
    $offset);
    ?>

    Besides these, you benefit from logging queries either within your script or by the database itself, if it supports logging. Obviously, the logging is unable to prevent any harmful attempt, but it can be helpful to trace back which application has been circumvented. The log is not useful by itself, but through the information it contains. More detail is generally better than less.

    Tagged with:
    Aug 26

    PHP Code Security Part 1

    By jason PHP World No Comments »

    Filesystem Security:

    PHP is subject to the security built into most server systems with respect to permissions on a file and directory basis. This allows you to control which files in the filesystem may be read. Care should be taken with any files which are world readable to ensure that they are safe for reading by all users who have access to that filesystem.

    Since PHP was designed to allow user level access to the filesystem, it’s entirely possible to write a PHP script that will allow you to read system files such as /etc/passwd, modify your ethernet connections, send massive printer jobs out, etc. This has some obvious implications, in that you need to ensure that the files that you read from and write to are the appropriate ones.

    Consider the following script, where a user indicates that they’d like to delete a file in their home directory. This assumes a situation where a PHP web interface is regularly used for file management, so the Apache user is allowed to delete files in the user home directories.

    Example 1:

    <?php
    // remove a file from the user's home directory
    $username = $_POST['user_submitted_name'];
    $userfile = $_POST['user_submitted_filename'];
    $homedir  = "/home/$username";
    unlink("$homedir/$userfile");
    echo "The file has been deleted!";
    ?>

    Since the username and the filename are postable from a user form, they can submit a username and a filename belonging to someone else, and delete it even if they’re not supposed to be allowed to do so. In this case, you’d want to use some other form of authentication. Consider what could happen if the variables submitted were "../etc/" and "passwd". The code would then effectively read:

    Example 2:

    <?php
    // removes a file from anywhere on the hard drive that
    // the PHP user has access to. If PHP has root access:
    $username = $_POST['user_submitted_name']; // "../etc"
    $userfile = $_POST['user_submitted_filename']; // "passwd"
    $homedir  = "/home/$username"; // "/home/../etc"
    unlink("$homedir/$userfile"); // "/home/../etc/passwd"
    echo "The file has been deleted!";
    ?>

    There are two important measures you should take to prevent these issues.

    • Only allow limited permissions to the PHP web user binary.
    • Check all variables which are submitted.

    Here is an improved script:

    Example 3:

    <?php
    // removes a file from the hard drive that
    // the PHP user has access to.
    $username = $_SERVER['REMOTE_USER']; // using an authentication mechanisim
    $userfile = basename($_POST['user_submitted_filename']);
    $homedir  = "/home/$username";
    $filepath = "$homedir/$userfile";
    if (file_exists($filepath) && unlink($filepath)) {
    $logstring = "Deleted $filepath\n";
    } else {
    $logstring = "Failed to delete $filepath\n";
    }
    $fp = fopen("/home/logging/filedelete.log", "a");
    fwrite($fp, $logstring);
    fclose($fp);
    echo htmlentities($logstring, ENT_QUOTES);
    ?>

    However, even this is not without its flaws. If your authentication system allowed users to create their own user logins, and a user chose the login "../etc/", the system is once again exposed. For this reason, you may prefer to write a more customized check:

    Example 4:

    <?php
    $username     = $_SERVER['REMOTE_USER']; // using an authentication mechanisim
    $userfile     = $_POST['user_submitted_filename'];
    $homedir      = "/home/$username";
    $filepath     = "$homedir/$userfile";
    if (!ctype_alnum($username) || !preg_match('/^(?:[a-z0-9_-]|\.(?!\.))+$/iD', $userfile)) {
        die("Bad username/filename");
    }
    //etc...
    ?>

    Depending on your operating system, there are a wide variety of files which you should be concerned about, including device entries (/dev/ or COM1), configuration files (/etc/ files and the .ini files), well known file storage areas (/home/, My Documents), etc. For this reason, it’s usually easier to create a policy where you forbid everything except for what you explicitly allow.

    Tagged with:
    Aug 25

    session_start: Cannot send session cookie – headers already sent by

    By jason PHP World No Comments »

    my session test code:

    <html>
    <head>
    <title>PHP SESSION TEST CODE</title>
    </head>
    <body>
    <?
    session_start();
    session_register("MVAR");
    $MVAR="hello world";
    echo "The content of sess variable is $MVAR";
    ?>
    <a href="call_session.php">Next page</a>
    </body>
    </html>

    Error Tips

    Warning: session_start(): Cannot send session cookie – headers already sent by (output started at d:\www\session.php:7) in d:\www\session.php on line 8

    Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at d:\www\session.php:7) in d:\www\session.php on line 8
    The content of sess variable is hello worldNext page

    Solution:

    1.Modify your php.ini file. Find the output_buffering variable and varlue is on,as output_buffering = On.

    2.Find your session save path, you can find it from php.ini of session.save_path = "c:\tmp"
       Please ensure php can write the “c:\tmp” directory.

    Tagged with:
    preload preload preload