Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very,...
Transcript of Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very,...
![Page 1: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/1.jpg)
Securing thePHP Environmentwith PHPSecInfo
20070914
![Page 2: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/2.jpg)
Ed Finkler <[email protected]>
The ubiquity of PHP
• PHP is very, very popular
• Nearly impossible to find a hosting service that doesn’t support PHP in some form
• About 34% of all domains report using PHP
• PHP is very easy to learn
• PHP provides results quickly
• Time between setup and seeing results is very short
![Page 3: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/3.jpg)
Ed Finkler <[email protected]>
The ubiquity of PHP
• PHP powers many busy, high-profile sites
• Wikipedia
• Wordpress.com
• Digg
• Flickr
• Yahoo (presentation layer)
![Page 4: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/4.jpg)
Ed Finkler <[email protected]>
NIST NVD: 2006 data
• 6604 total entries
• 2803 PHP applications
• 895 PHP app remote file inclusion
• Almost blocked by disabling allow_url_fopen (allow_url_include in 5.2+)
0.5%13.6%
28.9%
57.1%
PHP LanguagePHP Apps: remote file inclusionPHP Apps: otherOther
![Page 5: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/5.jpg)
Ed Finkler <[email protected]>
What does this tell us?
• How popular PHP is
• How much a target web apps are
• How many PHP developers are incapable of writing secure apps
• How many sysadmins don’t secure their PHP environments
![Page 6: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/6.jpg)
Ed Finkler <[email protected]>
The parties involved
• The System Administrator
• Directly responsible for PHP environment security
• Tendency to lower security of environment to reduce application compatibility complaints
![Page 7: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/7.jpg)
Ed Finkler <[email protected]>
The parties involved
• The PHP Developer
• Must be aware of the environment and how it impacts app development
• Will write apps assuming certain features are enabled, despite security risks
![Page 8: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/8.jpg)
Ed Finkler <[email protected]>
The parties involved
• The PHP “Deployer”
• By far the largest portion of the audience
• Uses PHP apps on a web site, but not a coder
• Not capable of assessing security of an app
• At the mercy of the SysAdmin and Developer
![Page 9: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/9.jpg)
Ed Finkler <[email protected]>
Requirements of PHPSecInfo
• A security auditing tool accessible to the “Deployer”
• Compatible
• Support PHP4 (85%) and PHP5 (15%)
• Easy to install
• Unzip and Upload
• Easy to execute (little or no config)
• Runs upon upload; single function call
![Page 10: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/10.jpg)
Ed Finkler <[email protected]>
Requirements of PHPSecInfo
• Easy to understand
• Clear, unambiguous results; color coding
• Encourage further exploration
• Offer extended explanations with links to more info
![Page 12: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/12.jpg)
![Page 13: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/13.jpg)
Ed Finkler <[email protected]>
Test Suite• 17 tests for commonly exploited security
vulnerabilities in PHP environment
• Each test result shows:
• Current Setting
• Recommended Setting
• Result (color-coded)
• Explanation
• Link to further info
• Simple metrics output
![Page 14: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/14.jpg)
![Page 15: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/15.jpg)
![Page 16: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/16.jpg)
Ed Finkler <[email protected]>
PHPSecInfo encourages accountability
Sorry, we can’t support your app because it requires
an insecure config!
Sysadmins
Our hosting is secure – PHPSecInfo says so!
Why does your application require an insecure configuration?
Developers
Why doesn’t your hosting service provide a secure PHP
environment?
Deployers
Here’s what’s wrong with your PHP setup – fix it before
you run our app!
![Page 17: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/17.jpg)
Ed Finkler <[email protected]>
For advanced users
• Still a useful tool for evaluating PHP environments
• Part of an auditing toolkit for web app security experts
• Extensible test framework
• Create custom tests specific to an environment
• Full generated documentation available
![Page 18: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/18.jpg)
Ed Finkler <[email protected]>
Zend_Environment Security Module
• Part of Zend Framework
• PHP5-only
• Zend_Environment offers programatic access to PHP environment information
• Z_E security module based on PHPSecInfo
• Offers better (for now) programatic access to test results
• More flexible output (HTML, Text, etc)
• Part of a full-featured development framework
![Page 19: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/19.jpg)
Ed Finkler <[email protected]>
![Page 20: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/20.jpg)
Ed Finkler <[email protected]>
What the future may bring
• New view system & new output formats (xml, console, html themes, etc)
• Better IIS support
• Instantiate and obtain results programatically for embedding in apps
• Security testing during installation process, et al
![Page 21: Securing the PHP Environment with PHPSecInfo · Ed Finkler The ubiquity of PHP • PHP is very, very popular • Nearly impossible to find a hosting](https://reader033.fdocuments.us/reader033/viewer/2022060408/5f0fd2707e708231d4460d7b/html5/thumbnails/21.jpg)
More Informationphpsecinfo.com
phpsec.orgcerias.purdue.edu
framework.zend.com
Slides: works site or funkatron.com