Re: [PHP] Security Issues - Where to look?
On Mon, Nov 07, 2005 at 01:50:59PM -0800, Richard wrote: I've heard that php is not particularly secure, making it problematic if you intend to create a web site with commerce, etc. Is there a particular news group that addresses security issues? I'm looking for some guidlines on ensuring that my site is secure from malicious hackers. Other people have already addressed issues about writing secure code, but if you're concerned about PHP itself being inherently insecure you could always take a look at Hardened-PHP: http://www.hardened-php.net/ I haven't used it myself, so can't vouch for how secure it actually is. Obviously any system is only going to be as strong as its weakest link, so if you have users with guessable passwords then you'd want to address that before worrying about whether PHP is secure or not (and of all the vulnerabilities that I've seen exploited on servers, the two major problems are insecure scripts - such as phpBB - not being kept up to date, and users choosing poor passwords or giving out their login details to other people). Paul -- Rogue Tory http://www.roguetory.org.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Issues - Where to look?
On Mon, November 7, 2005 3:50 pm, Richard wrote: I've heard that php is not particularly secure, making it problematic if you intend to create a web site with commerce, etc. Is there a particular news group that addresses security issues? I'm looking for some guidlines on ensuring that my site is secure from malicious hackers. I've heard that New York is an unsafe city, making it problematic if you intend to open a business there with cash registers, etc. http://phpsec.org/ should probably be in your bookmarks... Or not, because you should memorize it. Not the URL. The whole site. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Security Issues - Where to look?
[snip] I've heard that php is not particularly secure, making it problematic if you intend to create a web site with commerce, etc. Is there a particular news group that addresses security issues? I'm looking for some guidlines on ensuring that my site is secure from malicious hackers. [/snip] It's not so much that PHP is not particularly secure, but rather that some of the people who use it don't know how to make it work in a secure manner. Configured and coded properly a PHP application can be very, very secure. However, without careful configuration and good coding it's also possible to create very, very insecure applications using PHP. Or .NET. Or Java. Or Cold Fusion. Or JSP. It's not the technology that's insecure, but the method by which it's implemented. Why not check out these links: http://www.google.ca/search?q=php+security http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ http://phpsec.org/ Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Issues - Where to look?
Hi Richard, Monday, November 7, 2005, 9:50:59 PM, you wrote: I've heard that php is not particularly secure, making it problematic if you intend to create a web site with commerce, etc. Is there a particular news group that addresses security issues? I'm looking for some guidlines on ensuring that my site is secure from malicious hackers. The security of the application will be ultimately down to two factors: you, and your hosting environment. Server security is beyond the scope of this mailing list, and is a multi-faceted and complex area. Shoring up your OS, Apache and the likes can take years of skill. Or of course, your sys admin / web host does this all for you. Even so, it's an area not to be ignored. You can write the most secure application in the world, but if you've gone and chmod 777'd your directories on a shared box, you're anyones target. The security of your application is down to you however. There is a PHP security mailing list, but it's more for announcements than discussion. As for guidelines there are many free on-line resources, and you'd do worse than to start here: http://phpsec.org/library/ The majority of those documents are aimed at experienced PHP developers however. And the majority of blatant security holes come from the inexperienced who weren't aware of what they were doing wrong in the first place. There are several books available on the subject now, any (or all) of them would give you the grounding you need to know BEFORE you start coding: Pro PHP Security by Snyder Southwell (Apress) php architect's Guide to PHP Security by Ilia Alshanetsky (Nanobooks) Essential PHP Security by Chris Shiflett (O'Reilly) Also some on-line talks: http://brainbulb.com/talks php architect magazine has a security column each month as well (www.phparch.com) There's a lot of reading material out there. Just make sure you read it _before_ you start building, it'll save you days, if not weeks, of code changes. Cheers, Rich -- Zend Certified Engineer PHP Development Services http://www.corephp.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security issues
Hi Chris, First of all, thanks a lot for sharing your modus operandi with us. On 14 Jan 2004 at 7:32, Chris W wrote: I then verify that every character in the string is with in the ascii range of a space to the ~ which is basically all the characters on the key board. How exactly are you performing this check? Regular expression matching? If so, what regular expression are you using? Thanks, Erik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security issues
[EMAIL PROTECTED] wrote:
Hi Chris,
First of all, thanks a lot for sharing your modus operandi with us.
On 14 Jan 2004 at 7:32, Chris W wrote:
I then verify that every character in the string is with in the ascii
range of a space to the ~ which is basically all the characters on the
key board.
How exactly are you performing this check? Regular expression matching? If so, what
regular expression are you using?
function validStr($s, $len)
{
if(strlen($s) $len){
return false;
}
for($i = 0;$i strlen($S);$i++){
if($s[$i] ' ' or $s[$i] '~'){
return false;
}
}
return true;
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security issues on shared servers
Thanks. Looks like a properly configured safe mode could eliminate a lot of problems. A few follow-up questions: 1. I see in the PHP doc comments a patch for Apache (http://luxik.cdi.cz/~devik/apache/) that runs different virtual hosts as different users. Anyone know anything about it, in terms of safety, effectiveness, stability, speed? 2. With safe mode enabled and all shell-access functions disabled through disabled_functions, it looks like most to all of problem (1) in my original email would be eliminated. But how do you specify the backtick operator in disabled_functions? --Dave On Tuesday, February 18, 2003, at 09:27 PM, Jason Sheets wrote: If your hosting provider has enabled safe mode then others can not include scripts that have a different uid than the owner of the current script, that prevents them from including your code. As far as the files go you could checksum them or if you are honestly concerned about them being changed store them in your database where only you have write access, the problem with that is that for your application to connect to your database it must know the db password, if the other users have shell access they can read your applications source code and connect to your db as your application. Bottom line, safe mode makes PHP a lot safer in multi user environments but you are always going to be exposed when you go with a multi user environment. Any programming language/application encounters these problems when introduced into a large multi user environment, switching programming languages would not alleviate these security issues. On Tue, 2003-02-18 at 15:49, David Feldman wrote: I run a PHP-based Web site hosted on a shared UNIX server provided by a pretty standard Web hosting company -- as I imagine do many people. There are a lot of users on this server, and I know nothing about them. Apache (and thus PHP) generally runs as www or nobody, so although each user on this shared server has a separate account, all PHP scripts run as the same user. As such, I have a few security concerns: 1. I restrict access to certain portions of my site, either with ..htaccess/.htpasswd files or with a PHP equivalent. This works fine for anyone using a Web browser, but it leaves a security hole: One can write a PHP script that circumvents the Apache access restrictions, either by calling a UNIX shell command (using passthru(), backticks, etc., only some of which are blocked on my server), or, more disturbingly, by using the include command. Using either of these methods in a publicly available page can circumvent htaccess- or PHP-based authorization and output the contents of a supposedly restricted file, _including_ a file in another user's Web site. 2. I am working on a PHP script that allows users to upload images, view them, and ultimately send them over email. All the problems listed in (1) apply, but in addition, these images' owner is www or nobody, the user PHP runs as. As such, not only could other users on the same shared server view these uploaded files, they could modify or delete them through a PHP script, and it doesn't matter what I set the access privileges to with chmod(), since they can call chmod() on the files themselves. Now, I can run a checksum at upload time and verify it later on to ensure that uploaded files haven't been changed. But that might still leave a few seconds (between upload and checksum) during which a file could be altered, and doesn't protect against deletions. Both (1) and (2) are disturbing to me, since if I'm protecting a portion of my site I don't want several hundred random people (whose only qualification is that they purchased Web space at the same company I did) to have access to it. Is there any way, short of a dedicated server or a wholesale switch to another server-side language, to avoid these problems? Thanks. --Dave -- -- -- David Feldman User Interface Designer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security issues on shared servers
OK, my question #2 below is answered by the docs: Safe mode disabled the backtick operator. But having turned on safe mode on my local test server, I have another question: Suddenly my include statements that user relative paths don't work. For example: include /absolute/path/to/include/file.php; works fine, but include include/file.php doesn't. I don't see anything in the docs about this...what's going on? Thanks again, --Dave On Wednesday, February 19, 2003, at 08:03 AM, David Feldman wrote: Thanks. Looks like a properly configured safe mode could eliminate a lot of problems. A few follow-up questions: 1. I see in the PHP doc comments a patch for Apache (http://luxik.cdi.cz/~devik/apache/) that runs different virtual hosts as different users. Anyone know anything about it, in terms of safety, effectiveness, stability, speed? 2. With safe mode enabled and all shell-access functions disabled through disabled_functions, it looks like most to all of problem (1) in my original email would be eliminated. But how do you specify the backtick operator in disabled_functions? --Dave On Tuesday, February 18, 2003, at 09:27 PM, Jason Sheets wrote: If your hosting provider has enabled safe mode then others can not include scripts that have a different uid than the owner of the current script, that prevents them from including your code. As far as the files go you could checksum them or if you are honestly concerned about them being changed store them in your database where only you have write access, the problem with that is that for your application to connect to your database it must know the db password, if the other users have shell access they can read your applications source code and connect to your db as your application. Bottom line, safe mode makes PHP a lot safer in multi user environments but you are always going to be exposed when you go with a multi user environment. Any programming language/application encounters these problems when introduced into a large multi user environment, switching programming languages would not alleviate these security issues. On Tue, 2003-02-18 at 15:49, David Feldman wrote: I run a PHP-based Web site hosted on a shared UNIX server provided by a pretty standard Web hosting company -- as I imagine do many people. There are a lot of users on this server, and I know nothing about them. Apache (and thus PHP) generally runs as www or nobody, so although each user on this shared server has a separate account, all PHP scripts run as the same user. As such, I have a few security concerns: 1. I restrict access to certain portions of my site, either with ..htaccess/.htpasswd files or with a PHP equivalent. This works fine for anyone using a Web browser, but it leaves a security hole: One can write a PHP script that circumvents the Apache access restrictions, either by calling a UNIX shell command (using passthru(), backticks, etc., only some of which are blocked on my server), or, more disturbingly, by using the include command. Using either of these methods in a publicly available page can circumvent htaccess- or PHP-based authorization and output the contents of a supposedly restricted file, _including_ a file in another user's Web site. 2. I am working on a PHP script that allows users to upload images, view them, and ultimately send them over email. All the problems listed in (1) apply, but in addition, these images' owner is www or nobody, the user PHP runs as. As such, not only could other users on the same shared server view these uploaded files, they could modify or delete them through a PHP script, and it doesn't matter what I set the access privileges to with chmod(), since they can call chmod() on the files themselves. Now, I can run a checksum at upload time and verify it later on to ensure that uploaded files haven't been changed. But that might still leave a few seconds (between upload and checksum) during which a file could be altered, and doesn't protect against deletions. Both (1) and (2) are disturbing to me, since if I'm protecting a portion of my site I don't want several hundred random people (whose only qualification is that they purchased Web space at the same company I did) to have access to it. Is there any way, short of a dedicated server or a wholesale switch to another server-side language, to avoid these problems? Thanks. --Dave - --- -- David Feldman User Interface Designer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security issues on shared servers
If your hosting provider has enabled safe mode then others can not include scripts that have a different uid than the owner of the current script, that prevents them from including your code. As far as the files go you could checksum them or if you are honestly concerned about them being changed store them in your database where only you have write access, the problem with that is that for your application to connect to your database it must know the db password, if the other users have shell access they can read your applications source code and connect to your db as your application. Bottom line, safe mode makes PHP a lot safer in multi user environments but you are always going to be exposed when you go with a multi user environment. Any programming language/application encounters these problems when introduced into a large multi user environment, switching programming languages would not alleviate these security issues. On Tue, 2003-02-18 at 15:49, David Feldman wrote: I run a PHP-based Web site hosted on a shared UNIX server provided by a pretty standard Web hosting company -- as I imagine do many people. There are a lot of users on this server, and I know nothing about them. Apache (and thus PHP) generally runs as www or nobody, so although each user on this shared server has a separate account, all PHP scripts run as the same user. As such, I have a few security concerns: 1. I restrict access to certain portions of my site, either with ..htaccess/.htpasswd files or with a PHP equivalent. This works fine for anyone using a Web browser, but it leaves a security hole: One can write a PHP script that circumvents the Apache access restrictions, either by calling a UNIX shell command (using passthru(), backticks, etc., only some of which are blocked on my server), or, more disturbingly, by using the include command. Using either of these methods in a publicly available page can circumvent htaccess- or PHP-based authorization and output the contents of a supposedly restricted file, _including_ a file in another user's Web site. 2. I am working on a PHP script that allows users to upload images, view them, and ultimately send them over email. All the problems listed in (1) apply, but in addition, these images' owner is www or nobody, the user PHP runs as. As such, not only could other users on the same shared server view these uploaded files, they could modify or delete them through a PHP script, and it doesn't matter what I set the access privileges to with chmod(), since they can call chmod() on the files themselves. Now, I can run a checksum at upload time and verify it later on to ensure that uploaded files haven't been changed. But that might still leave a few seconds (between upload and checksum) during which a file could be altered, and doesn't protect against deletions. Both (1) and (2) are disturbing to me, since if I'm protecting a portion of my site I don't want several hundred random people (whose only qualification is that they purchased Web space at the same company I did) to have access to it. Is there any way, short of a dedicated server or a wholesale switch to another server-side language, to avoid these problems? Thanks. --Dave -- David Feldman User Interface Designer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
