Securing your PHP code

Thursday, February 11, 2010 by BBTUNA
its a natural thing to secure your website, or so you would think. PHP comes with tons of security features that many web developers dont consider when coding a website. Security is in place to protect your members sensitive data and to prevent defacements or at worst to prevent server comprimise. I will cover a couple security measures that you can use when writing "proper" PHP code. Nobody wants to wake up to a website thats been hacked overnight or while your on the shitter.

Some of the most basic and overlooked things are, cleaning your variables and all user input. Many variables themselves can be overwritten with user specified data from a malicious user. Let's say you have an admin panel on your website thats not the most secure thing y'know, but it works well. Someone finds a hole or bruteforces their way in without any visiable knowledge. That admin panel maybe be able to delete files. Whats to say the attacker doesnt just delete files but goes ahead and deletes passwd entires or other sensitive server files that would stop them from advancing.

all inputs from the "outside" coming in should be checked for malicious content!!! I will not cover security with your database. I have written many articles on SQL injection, if you dont know what it is please research it. Database security is very inmportant, I will not cover it here.

Magic Quotes
Magic quotes are a "godsend" when it comes to dealing with user input. When this option is tunred on (located in your php.ini) it will escapes all single and double quotes, backslashes, and NULL bytes from a users input with a backslash. The problem with turning magic quotes on is that maybe you want your users to use single or double quotes, or when uploading files. If you turn this off you can at "runtime" parse the strings from the user entered data.

If your new to PHP i would suggest turning this on until you learn how to properly parse and display data that users enter. I personally use a "clean" function that i've written. I will give you a basic "on-the-fly" one just for this tutorial so you can start building your own cleaning function.

function clean($string) {
$string = stripslashes($string);
$string = htmlentities($string);
$string = strip_tags($string);
return $string;
}
?>

you would use this function like below, if your user was submitting a form that required a username.

$username = $_POST;
echo clean($mystring);
?>

There are 3 directives for the magic quotes, refer to the php.net website or the php manual. Basically the 3 directives are magic_quotes_gpc, these deal with the request data (get, post, cookies). magic_quotes_runtime deal with flatfiles and databases, external files. the third is magic_quotes_sybase, this will override the magic_quotes_gpc if its enabled. This one will escape single quotes with another single quote.
---------------

Security Through Obscurity
Recently you may not have noticed, I sure have on some websites where an ASP or PERL extension can be found in place of the normal PHP when you know for true, 100% fact that the website is running a php/sql based front and backend. This is "obscurity through security" when instead of telling the attackers your using php scripts you mislead them into thinking your running perl or pythoin or whatever type of script you want.

For example, your run a php script with the .php extension, like normal. Rather than showing the world your "hello.php" script you can actually use Apache to "hide" or "obscure" the real file's extension. So instead of normally using "hello.php" you could disguise the file to viewers as perl, "hello.pl" even though its a PHP script. like so...

AddType application/x-httpd-php .asp .py .pl

my favorite is making up my own file extensions, like .sun or .fuck

AddType application/x-httpd-php .sun .fuck .1e3t

Im sure if an attacker is just looking for something to fuck with when he comes across a .sun file that runs like a php file, theyll will be heartbroken and confused. Give it a try. The above codes are for the Apache configuration file. If your on a shared hosting you may not have access to the Apache configuration files, Maybe you could make some suggestions to your host.
---------------

[u]Register Globals
This is a big change in PHP when 4.2 came out. This is an on/off option in the INI file for php (php.ini). PHP doesnt force you to initial variables like other languages, for this, people think its a very insecure language. When register globals is on it will allow a request to set a variable. The best kind of example is a member login form. Let's say register globals is on..

if($authed = true) {
echo "my sensitive information";
}
?>

Any user can get to the "sensitive information" by sending a GET request. You could do this via telnet or by browser, like so sin.php?authed=true, which reveals the sensitive information. Turning them off will defeat this problem. Now when we try to visit the site sin.php?authed=true, It will be blank. Users cannot initialize variables from an external source. Another way to protect your variables from external sources would be to check if they are submitted via a GET or POST request.

$authed = true;

if(isset($_POST[authed]) || $_GET[authed]) {
echo "variable violation";
} else {
if($authed == true) {
echo "my sensitive information";
}
}
?>

By monitoring the GET and POST requests we can check to see if someone is trying to inject something into our variables without the script doing it. Usually followed by not only a message telling them they have wrong the variable, but usually a mail() will follow to notify the admins on the website. I love this one.
Posted in | 0 Comments »

0 comments:

Post a Comment

About Me

Blog Archive