php-general Digest 20 May 2010 14:52:10 -0000 Issue 6754
Topics (messages 305350 through 305357):
Re: Automatic PHP Security tool
305350 by: Bob McConnell
Question about a security function
305351 by: Al
305352 by: Peter Lind
305353 by: David Otton
305355 by: Ashley Sheridan
305357 by: Al
Some undefined function errors
305354 by: Giancarlo Boaron
Re: Content question
305356 by: tedd
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
From: Juan Rodriguez Monti
> I would like to know if there´s some App that run automatic test
> against a PHP Application to detect security issues, potential bugs
> and so on.
>
> I know this kind of applications exists for other fields of IT, but I
> don´t know if there are some application or tests to run against a PHP
> App. Might be some security suite or tests written in Python or Perl,
> I don´t know, but I guess you might know.
>
> In this case, I just finished the development of an application
> developed in PHP with XHTML and that works with Sqlite. And I would
> like to include some security tests before it goes online. It´s not
> actually working in production environment, but it´s ready to use it.
You probably want to start by looking at the OWASP project.
<http://www.owasp.org/index.php/Category:OWASP_Project>
Bob McConnell
--- End Message ---
--- Begin Message ---
I have a password-protected, user, on-line editor that I'm hardening against
hackers just in case a user's pw is stolen or local PC is infected.
The user can enter html tags; but, I restrict the acceptable tags to benign
ones. e.g., <p>, <b>, <table>, etc. e.g., no <embed... <script... etc.
Just to be extra safe, I've added a function that parses for executables in the
raw, entered text. If found, I post and nasty error message and ignore the entry
altogether.
Here are my regex patterns. I tried finding a complete list of browser
executables; but was unsuccessful, probably because I didn't use the right key
words.
Anyone have suggestions for additional patterns?
$securityPatternsArray=array(
"\<script\x20",
"\<embed\x20",
"\<object\x20",
'language="javascript"',
'type="text/javascript"',
'language="vbscript\"',
'type="text/vbscript"',
'language="vbscript"',
'type="text/tcl"',
"error_reporting\(0\)",//Most hacks I've seen make certain they turn of error
reporting
"\<?php",//Here for the heck of it.
);
--- End Message ---
--- Begin Message ---
On 20 May 2010 14:53, Al <[email protected]> wrote:
> I have a password-protected, user, on-line editor that I'm hardening against
> hackers just in case a user's pw is stolen or local PC is infected.
>
> The user can enter html tags; but, I restrict the acceptable tags to benign
> ones. e.g., <p>, <b>, <table>, etc. e.g., no <embed... <script... etc.
>
> Just to be extra safe, I've added a function that parses for executables in
> the raw, entered text. If found, I post and nasty error message and ignore
> the entry altogether.
>
> Here are my regex patterns. I tried finding a complete list of browser
> executables; but was unsuccessful, probably because I didn't use the right
> key words.
>
> Anyone have suggestions for additional patterns?
>
> $securityPatternsArray=array(
> "\<script\x20",
> "\<embed\x20",
> "\<object\x20",
> 'language="javascript"',
> 'type="text/javascript"',
> 'language="vbscript\"',
> 'type="text/vbscript"',
> 'language="vbscript"',
> 'type="text/tcl"',
> "error_reporting\(0\)",//Most hacks I've seen make certain they turn of
> error reporting
> "\<?php",//Here for the heck of it.
> );
>
Rolling your own when it comes to this is a very bad idea: chances are
you'll miss something even if asking a list like this. Much better to
use an existing tool like htmlpurifier.
Regards
Peter
--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
Flickr: http://www.flickr.com/photos/fake51
BeWelcome: Fake51
Couchsurfing: Fake51
</hype>
--- End Message ---
--- Begin Message ---
On 20 May 2010 13:53, Al <[email protected]> wrote:
>
> I have a password-protected, user, on-line editor that I'm hardening against
> hackers just in case a user's pw is stolen or local PC is infected.
>
> The user can enter html tags; but, I restrict the acceptable tags to benign
> ones. e.g., <p>, <b>, <table>, etc. e.g., no <embed... <script... etc.
>
> Just to be extra safe, I've added a function that parses for executables in
> the raw, entered text. If found, I post and nasty error message and ignore
> the entry altogether.
That's not really going to work. See:
http://ha.ckers.org/xss.html
Blacklisting is a fundamentally flawed approach. I suggest using
http://htmlpurifier.org/ instead.
--- End Message ---
--- Begin Message ---
On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote:
> On 20 May 2010 13:53, Al <[email protected]> wrote:
> >
> > I have a password-protected, user, on-line editor that I'm hardening against
> > hackers just in case a user's pw is stolen or local PC is infected.
> >
> > The user can enter html tags; but, I restrict the acceptable tags to benign
> > ones. e.g., <p>, <b>, <table>, etc. e.g., no <embed... <script... etc.
> >
> > Just to be extra safe, I've added a function that parses for executables in
> > the raw, entered text. If found, I post and nasty error message and ignore
> > the entry altogether.
>
> That's not really going to work. See:
>
> http://ha.ckers.org/xss.html
>
> Blacklisting is a fundamentally flawed approach. I suggest using
> http://htmlpurifier.org/ instead.
>
I agree wth Peter and David, it's not generally a good idea to roll your
own in this case, as the repercussions can be quite large if things go
wrong!
If you absolutely must though, don't allow any HTML at all, and use
BBCode instead, which you can replace afterwards. Before entering the
data into a database run it through mysql_real_escape_string(), and if
you are displaying any user-entered data, run that through
htmlentities() or something similar.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
On 5/20/2010 10:07 AM, Ashley Sheridan wrote:
On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote:
On 20 May 2010 13:53, Al<[email protected]> wrote:
I have a password-protected, user, on-line editor that I'm hardening against
hackers just in case a user's pw is stolen or local PC is infected.
The user can enter html tags; but, I restrict the acceptable tags to benign
ones. e.g.,<p>,<b>,<table>, etc. e.g., no<embed...<script... etc.
Just to be extra safe, I've added a function that parses for executables in
the raw, entered text. If found, I post and nasty error message and ignore
the entry altogether.
That's not really going to work. See:
http://ha.ckers.org/xss.html
Blacklisting is a fundamentally flawed approach. I suggest using
http://htmlpurifier.org/ instead.
I agree wth Peter and David, it's not generally a good idea to roll your
own in this case, as the repercussions can be quite large if things go
wrong!
If you absolutely must though, don't allow any HTML at all, and use
BBCode instead, which you can replace afterwards. Before entering the
data into a database run it through mysql_real_escape_string(), and if
you are displaying any user-entered data, run that through
htmlentities() or something similar.
Thanks,
Ash
http://www.ashleysheridan.co.uk
I agree blacklisting is a flawed approach in general. My approach is to strictly
confine entry text to a whitelist of benign, acceptable tags. The blacklist is
sort of a backup and won't even save the entry. The user's entry has no ability
to affect anything outside of the stuff within the body tags, including the css
file.
Thanks for the heads up about htmlpurifier. I'll take a more detailed look.
I briefly looked at it earlier; but, found it was gross overkill for my needs.
My objective is to not let bad stuff into my server to start with, and not to
parse existing html and css files.
The ha.hackers site is most interesting. I plan to work with it in detail.
Al..........
--- End Message ---
--- Begin Message ---
Hi all.
Recently, I wrote an email about the problem I was having with some Postgres
functions that when those functions were called, I received the following
error: "Call to undefined function <function_name>".
After some answers, I decided to rebuild a brand new linux virtual machine with
Apache + PHP + Postgres, but I still get this annoying error messege with some
functions like pg_prepare() and pg_escape_string().
I compiled Postgres with --without-readline option.
I compiled PHP with --with-apxs2=/usr/local/apache2/bin/apxs and
--with-pgsql=/usr/local/pgsql/
And the compilation process has no errors.
What am I doing wrong? Do I have to change something in php_config.h file? If
so, what do I have to change?
Thank you.
--- End Message ---
--- Begin Message ---
At 1:07 PM -0400 5/19/10, Ernie Kemp wrote:
This is not a direct PHP question but I will be using PHP in the website.
After a website has been created there will a need to changes say a
product or service page over time.
The client asking how he will be able to make changes to these pages.
Yes, I'm a newbie at this and the only way I can think of is to edit
the page in say a HTML editor.
Please comment how you might do it another way.
Thanks very much,
..../Ernie
Hire one of us to do it. That's what many of us do for a living.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
