The most common and most severe security vulnerabilities in PHP scripts, and indeed in any Web application, are due to poorly validated user input
1) Calling External Programs
Call like system($userinput) or is insecure because it allows the user to execute arbitrary commands on the host.
2) Database Interactions
mysql_db_query
($DB, "SELECT something
FROM table WHERE name=$username");
In this example, the user can use a semicolon in the input to end the current query and supply arbitrary commands to the database. The input ";drop db database" will expand to the query string "SELECT something FROM table WHERE name=;drop db database", which will result in an error (because the first part of the query is now invalid) followed by a successful drop of the entire database.
3) URL Includes and Opens
include ("http://some.site.com/some_script.php");
It will know to fetch the file from the location and include it in your script. You can also open remote files for reading the same way. This can be potentially dangerous, since there is a possibility that the remote site is compromised or the network connection is spoofed. In either case, you are injecting unknown and possibly hostile code directly into your script with an include() like that
4) Unvalidated Input Errors
$month = $_GET['month'];
Here there is no such method to identify or handle this input variable. It can return in error.
The application works perfectly, as long as the specified month is a number between 1 and 12
However, a malicious user might append ";ls -la" to the year value and thereby see a listing of your Website's html directory. An extremely malicious user could append ";rm -rf *" to the year value and delete your entire Website!
Do not use Javascript validation for this; such validation methods are easily worked around by an exploiter who creates their own form or disables javascript. User preg_match or some regular expression for the same.
5) Include Files
Sometimes it happens that a PHP script needs to include other files as part of itself. A lot of programmers have a tendency to name those include files with a .inc extension. The problem here is that if the server is not aware that those files are actually parts of PHP scripts, it will just show the code to whoever requested it. This gives attackers the opportunity to study the code for security holes all they want and to see any hard-coded data that may be secret.
There are several ways to prevent this. One way is to name all include files with a .php extension (or .php3, or whatever the server associates with PHP) so that the server will interpret them instead of showing them.
Another possible solution is to associate .inc files with PHP. Yet another solution would be to prevent all .inc files from being displayed. In Apache, the last can be achieved by something like this a section in the httpd.conf file.
No comments:
Post a Comment