[PHP-DOC] cvs: phpdoc /en/chapters security.xml
derick Fri Jun 20 15:12:34 2003 EDT Removed files: /phpdoc/en/chapters security.xml Log: - Moved to security/index.xml -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DOC] cvs: phpdoc /en/chapters security.xml /en/featuresfile-upload.xml /en/language variables.xml /en/reference/oci8/functionsocinewdescriptor.xml /en/reference/yaz reference.xml
Philip Olson rta: philip Wed Jun 11 18:03:10 2003 EDT Modified files: /phpdoc/en/chapters security.xml /phpdoc/en/features file-upload.xml /phpdoc/en/language variables.xml /phpdoc/en/reference/oci8/functions ocinewdescriptor.xml /phpdoc/en/reference/yaz reference.xml Log: Use of proper case Just a note is that the HTML 4.01 DTD defines the possible values (GET|POST) [case insensitive], but the XHTML 1.0 DTD defines it as (get|post) [case sensitive]. http://www.w3.org/TR/xhtml1/dtds.html#dtdentry_xhtml1-strict.dtd_form This section details that in HTML 4.01 these were case insensitive, while in XHTML 1, these are case sensitive: http://www.w3.org/TR/xhtml1/#h-4.11 So the future compatible method= is get and post, lowercased, not the uppercased one you introduced. I know we mostly have HTML examples and not XHTML ones, but we are going to have XHTML ones in the future I suppose. Goba -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] cvs: phpdoc /en/chapters security.xml /en/features file-upload.xml /en/language variables.xml /en/reference/oci8/functions ocinewdescriptor.xml /en/reference/yaz reference.xml
philip Wed Jun 11 18:03:10 2003 EDT Modified files: /phpdoc/en/chapters security.xml /phpdoc/en/features file-upload.xml /phpdoc/en/language variables.xml /phpdoc/en/reference/oci8/functions ocinewdescriptor.xml /phpdoc/en/reference/yazreference.xml Log: Use of proper case Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.56 phpdoc/en/chapters/security.xml:1.57 --- phpdoc/en/chapters/security.xml:1.56Wed May 21 06:34:22 2003 +++ phpdoc/en/chapters/security.xml Wed Jun 11 18:03:09 2003 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.56 $ -- +!-- $Revision: 1.57 $ -- chapter id=security titleSecurity/title @@ -920,7 +920,7 @@ titleAttacking Variables with a custom HTML page/title programlisting role=php ![CDATA[ -form method=post action=attacktarget?username=badfoopassword=badfoo +form method=POST action=attacktarget?username=badfoopassword=badfoo input type=hidden name=username value=badfoo input type=hidden name=password value=badfoo /form @@ -947,7 +947,7 @@ titleExploiting common debugging variables/title programlisting role=php ![CDATA[ -form method=post action=attacktarget?errors=Yamp;showerrors=1debug=1 +form method=POST action=attacktarget?errors=Yamp;showerrors=1debug=1 input type=hidden name=errors value=Y input type=hidden name=showerrors value=1 input type=hidden name=debug value=1 Index: phpdoc/en/features/file-upload.xml diff -u phpdoc/en/features/file-upload.xml:1.61 phpdoc/en/features/file-upload.xml:1.62 --- phpdoc/en/features/file-upload.xml:1.61 Wed Jun 11 17:13:57 2003 +++ phpdoc/en/features/file-upload.xml Wed Jun 11 18:03:09 2003 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.61 $ -- +!-- $Revision: 1.62 $ -- chapter id=features.file-upload titleHandling file uploads/title @@ -40,7 +40,7 @@ titleFile Upload Form/title programlisting role=html ![CDATA[ -form enctype=multipart/form-data action=_URL_ method=post +form enctype=multipart/form-data action=_URL_ method=POST input type=hidden name=MAX_FILE_SIZE value=3 Send this file: input name=userfile type=file input type=submit value=Send File @@ -355,7 +355,7 @@ titleUploading multiple files/title programlisting role=html ![CDATA[ -form action=file-upload.php method=post enctype=multipart/form-data +form action=file-upload.php method=POST enctype=multipart/form-data Send these files:br input name=userfile[] type=filebr input name=userfile[] type=filebr Index: phpdoc/en/language/variables.xml diff -u phpdoc/en/language/variables.xml:1.61 phpdoc/en/language/variables.xml:1.62 --- phpdoc/en/language/variables.xml:1.61 Sat Jun 7 13:40:41 2003 +++ phpdoc/en/language/variables.xmlWed Jun 11 18:03:09 2003 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.61 $ -- +!-- $Revision: 1.62 $ -- chapter id=language.variables titleVariables/title @@ -753,7 +753,7 @@ titleA simple HTML form/title programlisting role=html ![CDATA[ -form action=foo.php method=post +form action=foo.php method=POST Name: input type=text name=usernamebr Email: input type=text name=emailbr input type=submit name=submit value=Submit me! @@ -859,7 +859,7 @@ print '/pre'; } else { ? -form action=?php echo $HTTP_SERVER_VARS['PHP_SELF']; ? method=post +form action=?php echo $HTTP_SERVER_VARS['PHP_SELF']; ? method=POST Name: input type=text name=personal[name]br Email: input type=text name=personal[email]br Beer: br Index: phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml diff -u phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml:1.3 phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml:1.4 --- phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml:1.3 Mon Feb 10 22:06:15 2003 +++ phpdoc/en/reference/oci8/functions/ocinewdescriptor.xml Wed Jun 11 18:03:09 2003 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.3 $ -- +!-- $Revision: 1.4 $ -- !-- splitted from ./en/functions/oci8.xml, last change in rev 1.2 -- refentry id=function.ocinewdescriptor refnamediv @@ -62,13 +62,13 @@ ?php /* This script demonstrates file upload to LOB columns * The formfield used for this example looks like this - * form action=upload.php method=post enctype=multipart/form-data + * form action=upload.php method=POST enctype=multipart/form-data * input type=file name=lob_upload * ... */ if(!isset($lob_upload) || $lob_upload == 'none'){ ? -form action=upload.php method=post enctype=multipart/form-data +form action=upload.php method=POST enctype=multipart/form-data Upload file: input type=file name=lob_uploadbr input type=submit value=Upload - input type=reset /form Index: phpdoc/en/reference/yaz/reference.xml diff -u phpdoc/en/reference/yaz/reference.xml:1.9
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
alindeman Wed Mar 26 21:35:18 2003 EDT Modified files: /phpdoc/en/chapters security.xml Log: fixing bug #22915 Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.51 phpdoc/en/chapters/security.xml:1.52 --- phpdoc/en/chapters/security.xml:1.51Sun Jan 19 05:30:14 2003 +++ phpdoc/en/chapters/security.xml Wed Mar 26 21:35:18 2003 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.51 $ -- +!-- $Revision: 1.52 $ -- chapter id=security titleSecurity/title @@ -1011,7 +1011,7 @@ $good_login = 1; } if ($good_login == 1) { // If above test fails, not initialized or checked before usage -fpassthru (/highly/sensitive/data/index.html); +readfile (/highly/sensitive/data/index.html); } ? ]] @@ -1046,7 +1046,7 @@ } if ($good_login == 1) { // can be forged by a user in get/post/cookies, -fpassthru (/highly/sensitive/data/index.html); +readfile (/highly/sensitive/data/index.html); } ? ]] @@ -1060,7 +1060,7 @@ if($_COOKIE['username']){ // can only come from a cookie, forged or otherwise $good_login = 1; -fpassthru (/highly/sensitive/data/index.html); +readfile (/highly/sensitive/data/index.html); } ? ]] @@ -1083,7 +1083,7 @@ !$_GET['username'] ) { // Perform other checks to validate the user name... $good_login = 1; -fpassthru (/highly/sensitive/data/index.html); +readfile (/highly/sensitive/data/index.html); } else { mail([EMAIL PROTECTED], Possible breakin attempt, $_SERVER['REMOTE_ADDR']); echo Security violation, admin has been alerted.; -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
tom Sun Jan 19 05:30:14 2003 EDT Modified files: /phpdoc/en/chapters security.xml Log: typo Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.50 phpdoc/en/chapters/security.xml:1.51 --- phpdoc/en/chapters/security.xml:1.50Sat Jan 18 14:58:04 2003 +++ phpdoc/en/chapters/security.xml Sun Jan 19 05:30:14 2003 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.50 $ -- +!-- $Revision: 1.51 $ -- chapter id=security titleSecurity/title @@ -561,7 +561,7 @@ informations in this way will be a hard work. /simpara !--simpara - If your database server have native SSL support, consider to use link + If your database server has native SSL support, consider to use link linkend=ref.opensslOpenSSL functions/link in communication between PHP and database via SSL. /simpara-- -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
alexws Sat Jan 18 14:58:04 2003 EDT Modified files: /phpdoc/en/chapters security.xml Log: Fixed some bugs during translation (added quotes somewhere) and something else. Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.49 phpdoc/en/chapters/security.xml:1.50 --- phpdoc/en/chapters/security.xml:1.49Wed Sep 18 09:18:34 2002 +++ phpdoc/en/chapters/security.xml Sat Jan 18 14:58:04 2003 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.49 $ -- +!-- $Revision: 1.50 $ -- chapter id=security titleSecurity/title @@ -387,7 +387,7 @@ $username = $_POST['user_submitted_name']; $homedir = /home/$username; $file_to_delete = $userfile; -unlink ($homedir/$userfile); +unlink ($homedir/$userfile); echo $file_to_delete has been deleted!; ? ]] @@ -561,7 +561,7 @@ informations in this way will be a hard work. /simpara !--simpara - If your database server native SSL support, consider to use link + If your database server have native SSL support, consider to use link linkend=ref.opensslOpenSSL functions/link in communication between PHP and database via SSL. /simpara-- -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
derick Wed Sep 18 09:18:35 2002 EDT Modified files: /phpdoc/en/chapters security.xml Log: - Remove dubble denial Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.48 phpdoc/en/chapters/security.xml:1.49 --- phpdoc/en/chapters/security.xml:1.48Sun Jun 16 03:11:00 2002 +++ phpdoc/en/chapters/security.xml Wed Sep 18 09:18:34 2002 -1,5 +1,5 ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.48 $ -- +!-- $Revision: 1.49 $ -- chapter id=security titleSecurity/title -1037,7 +1037,7 to work with PHP, it has been argued that the benefits far outweigh the effort. example - titleWorking without register_globals=off/title + titleWorking with register_globals=on/title programlisting role=php ![CDATA[ ?php -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
tom Wed Feb 27 14:05:45 2002 EDT Modified files: /phpdoc/en/chapters security.xml Log: reformatted code for a better html-reading Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.44 phpdoc/en/chapters/security.xml:1.45 --- phpdoc/en/chapters/security.xml:1.44Wed Feb 27 02:35:51 2002 +++ phpdoc/en/chapters/security.xml Wed Feb 27 14:05:44 2002 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.44 $ -- +!-- $Revision: 1.45 $ -- chapter id=security titleSecurity/title @@ -784,7 +784,9 @@ informalexample programlisting role=php ![CDATA[ -$query = SELECT * FROM products WHERE id LIKE '%a%' exec master..xp_cmdshell 'net user test testpass /ADD'--; +$query = SELECT * FROM products +WHERE id LIKE '%a%' +exec master..xp_cmdshell 'net user test testpass /ADD'--; $result = mssql_query($query); ]] /programlisting @@ -853,10 +855,11 @@ programlisting role=php ![CDATA[ settype($offset, 'integer'); -$query = SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;; +$query = SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;; // please note %d in the format string, using %s would be meaningless -$query = sprintf(SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;, $offset); +$query = sprintf(SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;, + $offset); ]] /programlisting /example
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
gerzson Mon Feb 4 06:51:23 2002 EDT Modified files: /phpdoc/en/chapters security.xml Log: some spelling errors and typos corrected Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.42 phpdoc/en/chapters/security.xml:1.43 --- phpdoc/en/chapters/security.xml:1.42Mon Jan 21 09:36:58 2002 +++ phpdoc/en/chapters/security.xml Mon Feb 4 06:51:22 2002 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.42 $ -- +!-- $Revision: 1.43 $ -- chapter id=security titleSecurity/title @@ -570,13 +570,13 @@ sect2 id=security.database.storage titleEncrypted Storage Model/title simpara - SSL/SSH protects data traveling from the client to the server, SSL/SSH + SSL/SSH protects data travelling from the client to the server, SSL/SSH does not protect the persistent data stored in a database. SSL is an on-the-wire protocol. /simpara simpara Once an attacker gains access to your database directly (bypassing the - webserver), the stored sensitive data may be exposed or misused unless, + webserver), the stored sensitive data may be exposed or misused, unless the information is protected by the database itself. Encrypting the data is a good way to mitigate this threat, but very few databases offer this type of data encryption. @@ -613,7 +613,7 @@ $result = pg_exec($connection, $query); if (pg_numrows($result) 0) { -echo Wellcome, $username!; +echo Welcome, $username!; } else { echo Authentication failed for $username.; @@ -653,8 +653,9 @@ ![CDATA[ $offset = argv[0]; // beware, no input validation! $query = SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;; +// with PostgreSQL $result = pg_exec($conn, $query); -// with MySQL: +// with MySQL $result = mysql_query($query); ]] /programlisting @@ -663,22 +664,18 @@ is encoded into the URL. The script expects that the incoming varname$offset/varname is decimal number. However, someone tries to break in with appending functionurlencode/function'd form of the - following to the URL (PostgreSQL): + following to the URL informalexample programlisting ![CDATA[ +// in case of PostgreSQL 0; insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd) select 'crack', usesysid, 't','t','crack' from pg_shadow where usename='postgres'; -- -]] - /programlisting - /informalexample - or in case of using MySQL: - informalexample - programlisting -![CDATA[ + +// in case of MySQL 0; UPDATE user SET Password=PASSWORD('crack') WHERE user='root'; FLUSH PRIVILEGES; @@ -698,13 +695,14 @@ /note para A feasible way to gain passwords is to circumvent your search result pages. - What the attacker has to do is only trying if there is a submitted filter - setting handled not properly. These filters are commonly set in a previous - form to customize literalWHERE, ORDER BY, LIMIT and OFFSET/literal - clauses in literalSELECT/literal statements. If your database supports - the literalUNION/literal construct, the attacker may try to append an - entire query to the original one to list passwords from an arbitrary table. - Using encrypted password fields is strongly encouraged. + What the attacker needs only is to try if there is any submitted variable + used in SQL statement which is not handled properly. These filters can be set + commonly in a preceding form to customize literalWHERE, ORDER BY, + LIMIT/literal and literalOFFSET/literal clauses in +literalSELECT/literal + statements. If your database supports the literalUNION/literal construct, + the attacker may try to append an entire query to the original one to list + passwords from an arbitrary table. Using encrypted password fields is + strongly encouraged. example title Listing out articles ... and some passwords (any database server) @@ -714,6 +712,7 @@ $query = SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;; +$result = odbc_exec($conn, $query); ]] /programlisting /example @@ -760,6 +759,7 @@ ![CDATA[ // $uid == ' or uid like'%admin%'; -- $query = UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%'; --; + // $pwd == hehehe', admin='yes', trusted=100 $query = UPDATE usertable SET pwd='hehehe', admin='yes', trusted=100 WHERE ...; ]] @@ -844,7 +844,7 @@ /listitem listitem para -If the application waits for numeric input, consider to verify data +If the application waits for numerical input, consider to verify data with functionis_numeric/function, or silently change its type using functionsettype/function, or use its numeric representation
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
gerzson Mon Jan 21 09:36:59 2002 EDT Modified files: /phpdoc/en/chapters security.xml Log: better description of the SQL injection examples Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.41 phpdoc/en/chapters/security.xml:1.42 --- phpdoc/en/chapters/security.xml:1.41Fri Jan 18 12:25:26 2002 +++ phpdoc/en/chapters/security.xml Mon Jan 21 09:36:58 2002 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.41 $ -- +!-- $Revision: 1.42 $ -- chapter id=security titleSecurity/title @@ -498,8 +498,8 @@ simpara To retrieve or to store any information you need to connect to the database, send a legitimate query, fetch the result, and close the connecion. -Nowadays, the commonly used interface in the interaction with databases is -the Structured Query Language (SQL). See how an attacker can link +Nowadays, the commonly used query language in this interaction is the +Structured Query Language (SQL). See how an attacker can link linkend=security.database.sql-injectiontamper with an SQL query/link. /simpara simpara @@ -636,16 +636,13 @@ Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database - host. -/simpara -simpara - This is accomplished by the application taking user input and combining - it with static parameters to build a SQL query. The following examples - are based on true stories, unfortunately. + host. This is accomplished by the application taking user input and + combining it with static parameters to build a SQL query. The following + examples are based on true stories, unfortunately. /simpara para Owing to the lack of input validation and connecting to the database on - behalf of a superuser or the owner who can create users, the attacker + behalf of a superuser or the one who can create users, the attacker may create a superuser in your database. example title @@ -657,6 +654,8 @@ $offset = argv[0]; // beware, no input validation! $query = SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;; $result = pg_exec($conn, $query); +// with MySQL: +$result = mysql_query($query); ]] /programlisting /example @@ -670,17 +669,6 @@ ![CDATA[ 0; insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd) -values ('crack', 31, 't','t','crack'); --- -]] - /programlisting - /informalexample - or more precisely: - informalexample - programlisting -![CDATA[ -0; -insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd) select 'crack', usesysid, 't','t','crack' from pg_shadow where usename='postgres'; -- @@ -709,14 +697,23 @@ /para /note para - A feasible way to gain passwords: + A feasible way to gain passwords is to circumvent your search result pages. + What the attacker has to do is only trying if there is a submitted filter + setting handled not properly. These filters are commonly set in a previous + form to customize literalWHERE, ORDER BY, LIMIT and OFFSET/literal + clauses in literalSELECT/literal statements. If your database supports + the literalUNION/literal construct, the attacker may try to append an + entire query to the original one to list passwords from an arbitrary table. + Using encrypted password fields is strongly encouraged. example title Listing out articles ... and some passwords (any database server) /title programlisting role=php ![CDATA[ -$query = SELECT id, name, inserted, size FROM products WHERE size = '$size';; +$query = SELECT id, name, inserted, size FROM products + WHERE size = '$size' + ORDER BY $order LIMIT $limit, $offset;; ]] /programlisting /example @@ -725,15 +722,24 @@ informalexample programlisting ![CDATA[ -union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from usertable +' +union select '1', concat(uname||'-'||passwd) as name, '1971-01-01', '0' from +usertable; +-- ]] /programlisting /informalexample - If this query were assigned to varname$size/varname (prepended with - literal'/literal), the query beast awakened. + If this query (playing with the literal'/literal and + literal--/literal) were assigned to one of the variables used in + varname$query/varname, the query beast awakened. /para para - SQL UPDATEs are also subject to attacking your database. + SQL UPDATEs are also subject to attacking your database. These queries are + also threatened by chopping and appending an entirely new query to it. But + the attacker might fiddle with the
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
gerzson Wed Jan 16 05:09:37 2002 EDT Modified files: /phpdoc/en/chapters security.xml Log: new section added about database security please someone run a 'make test' Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.39 phpdoc/en/chapters/security.xml:1.40 --- phpdoc/en/chapters/security.xml:1.39Tue Dec 18 18:18:36 2001 +++ phpdoc/en/chapters/security.xml Wed Jan 16 05:09:37 2002 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.39 $ -- +!-- $Revision: 1.40 $ -- chapter id=security titleSecurity/title @@ -484,6 +484,394 @@ reason, it's usually easier to create a policy where you forbid everything except for what you explicitly allow. /para + /sect1 + + sect1 id=security.database + titleDatabase Security/title + + simpara +Nowadays, databases are cardinal components of any web based application by +enabling websites to provide varying dynamic content. Since very sensitive +or secret informations can be stored in such database, you should strongly +consider to protect them somehow. + /simpara + simpara +PHP can be treated as a bridge between the database and client. Your script +processes the client's request, and propagates it in such manner that the +database can provide the appropriate response. After that, the script +generates its output from the supplied data, probably based on customizeable +user preferences stored in database, too. + /simpara + simpara +To retrieve or to store any information you need to connect to the database, +send a legitimate query, fetch the result, and close the connecion. +Nowadays, the commonly used interface in the interaction with databases is +the Structured Query Language (SQL). See how an attacker can link +linkend=security.database.sql-injectiontamper with an SQL query/link. + /simpara + simpara +As you can realize, PHP cannot protect your database by itself. The +following sections aim to be an introduction into the very basics of how to +access and manipulate databases within PHP scripts. + /simpara + simpara +Keep in my mind this simple rule: defence in depth. In the more place you +take the more action to increase the protection of your database, the less +probability of that an attacker succeeds, and exposes or abuse any stored +secret information. Good design of the database schema and the application +deals with your greatest fears. + /simpara + + sect2 id=security.database.design +titleDesigning Databases/title + simpara + The first step is always to create the database, unless you want to use + an existing third party's one. When a database is created, it is + assigned to an owner, who executed the creation statement. Usually, only + the owner (or a superuser) can do anything with the objects in that + database, and in order to allow other users to use it, privileges must be + granted. + /simpara + simpara + Applications should never connect to the database as its owner or a + superuser, because these users can execute any query at will, for + example, modifying the schema (e.g. dropping tables) or deleting its + entire content. + /simpara + simpara + You may create different database users for every aspect of your + application with very limited rights to database objects. The most + required privileges should be granted only, and avoid that the same user + can interact with the database in different use cases. This means that if + intruders gain access to your database using one of these credentials, + they can only effect as many changes as your application can. + /simpara + simpara + You are encouraged not to implement all the business logic in the web + application (i.e. your script), instead to do it in the database schema + using views, triggers or rules. If the system evolves, new ports will be + intended to open to the database, and you have to reimplement the logic + in each separate database client. Over and above, triggers can be used + to transparently and automatically handle fields, which often provides + insight when debugging problems with your application or tracing back + transactions. + /simpara + /sect2 + + sect2 id=security.database.connection +titleConnecting to Database/title +simpara + You may want to estabilish the connections over SSL to encrypt + client/server communications for increased security, or you can use ssh + to encrypt the network connection between clients and the database server. + If either of them is done, then monitoring your traffic and gaining + informations in this way will be a hard work. +/simpara +!--simpara + If your database server native SSL support, consider to use link
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
derick Wed Dec 5 03:30:41 2001 EDT Modified files: /phpdoc/en/chapters security.xml Log: - Typo Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.36 phpdoc/en/chapters/security.xml:1.37 --- phpdoc/en/chapters/security.xml:1.36Fri Nov 23 16:51:22 2001 +++ phpdoc/en/chapters/security.xml Wed Dec 5 03:30:41 2001 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.36 $ -- +!-- $Revision: 1.37 $ -- chapter id=security titleSecurity/title @@ -764,7 +764,7 @@ titleHiding PHP/title para A few simple techniques can help to hide PHP, possibly slowing -down an attacker who is attempting to disover weaknesses in your +down an attacker who is attempting to discover weaknesses in your system. By setting expose_php = off in your php.ini file, you reduce the amount of information available to them. /para
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
philip Tue Nov 13 19:20:50 2001 EDT Modified files: /phpdoc/en/chapters security.xml Log: Fix typo. (on = off) Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.33 phpdoc/en/chapters/security.xml:1.34 --- phpdoc/en/chapters/security.xml:1.33Sat Nov 10 16:49:28 2001 +++ phpdoc/en/chapters/security.xml Tue Nov 13 19:20:50 2001 @@ -1,5 +1,5 @@ ?xml version=1.0 encoding=iso-8859-1? -!-- $Revision: 1.33 $ -- +!-- $Revision: 1.34 $ -- chapter id=security titleSecurity/title @@ -653,7 +653,7 @@ ?gt; /programlisting /example -Of course, simply turning on register globals does not mean code +Of course, simply turning off register_globals does not mean code is secure. For every piece of data that is submitted, it should also be checked in other ways. /para
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
tom Sun Nov 4 04:10:03 2001 EDT Modified files: /phpdoc/en/chapters security.xml Log: reworded intro accoring the new order Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.30 phpdoc/en/chapters/security.xml:1.31 --- phpdoc/en/chapters/security.xml:1.30Tue Oct 30 20:39:47 2001 +++ phpdoc/en/chapters/security.xml Sun Nov 4 04:10:02 2001 @@ -1,5 +1,5 @@ ?xml encoding=iso-8859-1? -!-- $Revision: 1.30 $ -- +!-- $Revision: 1.31 $ -- chapter id=security titleSecurity/title @@ -32,10 +32,10 @@ secure it is, is largely up to the PHP developer. /simpara simpara - This chapter starts by explaining the different configuration - option combinations and the situations they can be safely used. It - then describes different considerations in coding for different - levels of security, and ends with some general security advice. + This chapter starts with some general security advice, explains + the different configuration option combinations and the situations + they can be safely used, and describes different considerations in + coding for different levels of security. /simpara sect1 id=security.general
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
jimwTue Oct 30 20:39:47 2001 EDT Modified files: /phpdoc/en/chapters security.xml Log: putting general security info first, rather than more obscure cgi stuff. Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.29 phpdoc/en/chapters/security.xml:1.30 --- phpdoc/en/chapters/security.xml:1.29Sat Oct 13 11:52:38 2001 +++ phpdoc/en/chapters/security.xml Tue Oct 30 20:39:47 2001 @@ -1,5 +1,5 @@ ?xml encoding=iso-8859-1? -!-- $Revision: 1.29 $ -- +!-- $Revision: 1.30 $ -- chapter id=security titleSecurity/title @@ -38,6 +38,54 @@ levels of security, and ends with some general security advice. /simpara + sect1 id=security.general + titleGeneral considerations/title + simpara +A completely secure system is a virtual impossibility, so an +approach often used in the security profession is one of balancing +risk and usability. If every variable submitted by a user required +two forms of biometric validation (such as a retinal scan and a +fingerprint), you would have an extremely high level of +accountability. It would also take half an hour to fill out a fairly +complex form, which would tend to encourage users to find ways of +bypassing the security. + /simpara + simpara +The best security is often inobtrusive enough to suit the +requirements without the user being prevented from accomplishing +their work, or over-burdening the code author with excessive +complexity. Indeed, some security attacks are merely exploits of +this kind of overly built security, which tends to erode over time. + /simpara + simpara +A phrase worth remembering: A system is only as good as the weakest +link in a chain. If all transactions are heavily logged based on +time, location, transaction type, etc. but the user is only +verified based on a single cookie, the validity of tying the users +to the transaction log is severely weakened. + /simpara + simpara +When testing, keep in mind that you will not be able to test all +possibilities for even the simplest of pages. The input you +may expect will be completely unrelated to the input given by +a disgruntled employee, a cracker with months of time on their +hands, or a housecat walking across the keyboard. This is why it's +best to look at the code from a logical perspective, to discern +where unexpected data can be introduced, and then follow how it is +modified, reduced, or amplified. + /simpara + simpara +The Internet is filled with people trying to make a name for +themselves by breaking your code, crashing your site, posting +inappropriate content, and otherwise making your day interesting. +It doesn't matter if you have a small or large site, you are +a target by simply being online, by having a server that can be +connected to. Many cracking programs do not discern by size, they +simply trawl massive IP blocks looking for victims. Try not to +become one. + /simpara + /sect1 + sect1 id=security.cgi titleInstalled as CGI binary/title @@ -729,54 +777,6 @@ /para /sect1 - sect1 id=security.general - titleGeneral considerations/title - simpara -A completely secure system is a virtual impossibility, so an -approach often used in the security profession is one of balancing -risk and usability. If every variable submitted by a user required -two forms of biometric validation (such as a retinal scan and a -fingerprint), you would have an extremely high level of -accountability. It would also take half an hour to fill out a fairly -complex form, which would tend to encourage users to find ways of -bypassing the security. - /simpara - simpara -The best security is often inobtrusive enough to suit the -requirements without the user being prevented from accomplishing -their work, or over-burdening the code author with excessive -complexity. Indeed, some security attacks are merely exploits of -this kind of overly built security, which tends to erode over time. - /simpara - simpara -A phrase worth remembering: A system is only as good as the weakest -link in a chain. If all transactions are heavily logged based on -time, location, transaction type, etc. but the user is only -verified based on a single cookie, the validity of tying the users -to the transaction log is severely weakened. - /simpara - simpara -When testing, keep in mind that you will not be able to test all -possibilities for even the simplest of pages. The input you -may expect will be completely unrelated to the input given by -a disgruntled employee, a cracker with months of time on their -hands, or a housecat walking across the keyboard. This is why it's -best to look at the code from a logical perspective, to discern -where unexpected data
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
philip Mon Sep 24 13:56:35 2001 EDT Modified files: /phpdoc/en/chapters security.xml Log: Adding link to register_globals config setting. Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.26 phpdoc/en/chapters/security.xml:1.27 --- phpdoc/en/chapters/security.xml:1.26Fri Sep 21 18:47:30 2001 +++ phpdoc/en/chapters/security.xml Mon Sep 24 13:56:35 2001 @@ -1,5 +1,5 @@ ?xml encoding=iso-8859-1? -!-- $Revision: 1.26 $ -- +!-- $Revision: 1.27 $ -- chapter id=security titleSecurity/title @@ -541,9 +541,9 @@ sect1 id=security.registerglobals titleUsing Register Globals/title para -One feature of PHP that can be used to enhance security is -configuring PHP with register_globals = off. By turning off -the ability for any user-submitted variable to be injected +One feature of PHP that can be used to enhance security is configuring PHP with +link linkend=ini.register-globalsregister_globals/link = off. +By turning off the ability for any user-submitted variable to be injected into PHP code, you can reduce the amount of variable poisoning a potential attacker may inflict. They will have to take the additional time to forge submissions, and your
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
ronabop Sat Jul 28 17:57:49 2001 EDT Modified files: /phpdoc/en/chapters security.xml Log: Enhancing, per recent discussions on PHP-DEV, and adding section on using register_globals to increase security. Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.19 phpdoc/en/chapters/security.xml:1.20 --- phpdoc/en/chapters/security.xml:1.19Tue May 8 17:30:06 2001 +++ phpdoc/en/chapters/security.xml Sat Jul 28 17:57:49 2001 @@ -265,29 +265,37 @@ nobody user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database -adminisitror's web page, and drop all of your databases. You can +administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts. /simpara simpara Often, once security is established to the point where the PHP user -(in this case, the apache user) has very little risk, it is -discovered that PHP now has been prevented from writing virus files +(in this case, the apache user) has very little risk attached to it, +it is discovered that PHP is now prevented from writing any files to user directories. Or perhaps it has been prevented from accessing -or changing a non-public database. It has equally been secured from -writing files that it should, or entering database transactions. +or changing databases. It has equally been secured from writing +good and bad files, or entering good and bad database transactions. /simpara simpara A frequent security mistake made at this point is to allow apache -root permissions. +root permissions, or to escalate apache's abilitites in some other +way. /simpara simpara Escalating the Apache user's permissions to root is extremely dangerous and may compromise the entire system, so sudo'ing, -chroot'ing ,or otherwise running as root should not be considered by +chroot'ing, or otherwise running as root should not be considered by those who are not security professionals. /simpara + simpara +There are some simpler solutions. By using +functionopen_basedir()/function you can control and restrict what +directories are allowed to be used for PHP. You can also set up +apache-only areas, to restrict all web based activity to non-user, +or non-system, files. + /simpara /sect1 sect1 id=security.filesystem @@ -369,7 +377,7 @@ lt;?php // removes a file from the hard drive that // the PHP user has access to. -$username = $HTTP_REMOTE_USER; // use an authentication mechanisim +$username = $HTTP_REMOTE_USER; // using an authentication mechanisim $homedir = /home/$username; @@ -385,21 +393,28 @@ ?gt; /programlisting /example -Alternately, you may prefer to write a more customized check: +However, even this is not without it's flaws. If your authentication +system allowed users to create their own user logins, and a user +chose the login ../etc/, the system is once again exposed. For +this reason, you may prefer to write a more customized check: example titleMore secure file name checking/title programlisting role=php lt;?php -$username = getenv(REMOTE_USER); +$username = $HTTP_REMOTE_USER; // using an authentication mechanisim $homedir = /home/$username; if (!ereg('^[^./][^/]*$', $userfile)) -die('bad filename'); //die, do not process - + die('bad filename'); //die, do not process + +if (!ereg('^[^./][^/]*$', $username)) + die('bad username'); //die, do not process //etc... ?gt; /programlisting /example + /para + para Depending on your operating system, there are a wide variety of files which you should be concerned about, including device entries (/dev/ or COM1), configuration files (/etc/ files and the .ini files), @@ -411,13 +426,29 @@ sect1 id=security.errors titleError Reporting/title - simpara + para +With PHP security, there are two sides to error reporting. One is +beneficial to increasing security, the other is detrimental. + /para + para A standard attack tactic involves profiling a system by feeding it improper data, and checking for the kinds, and contexts, of the errors which are returned. This allows the system cracker to probe for information about the server, to determine possible weaknesses. - /simpara - simpara +For example, if an attacker had gleaned information about a page +based on a prior form submission, they may attempt to override +variables, or modify them: +example + titleAttacking Variables with a custom HTML page/title +
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
jimwTue May 8 14:30:06 2001 EDT Modified files: /phpdoc/en/chapters security.xml Log: fix typo Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.18 phpdoc/en/chapters/security.xml:1.19 --- phpdoc/en/chapters/security.xml:1.18Sat Jan 20 11:13:22 2001 +++ phpdoc/en/chapters/security.xml Tue May 8 14:30:06 2001 @@ -263,7 +263,7 @@ PHP to access a database, unless that database has built-in access control, you will have to make the database accessable to the nobody user. This means a malicious script could access and modify -the databse, even without a username and password. It's entirely +the database, even without a username and password. It's entirely possible that a web spider could stumble across a database adminisitror's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design
[PHP-DOC] cvs: phpdoc /en/chapters security.xml
gobaSat Jan 20 11:13:22 2001 EDT Modified files: /phpdoc/en/chapters security.xml Log: .php3 - .php Index: phpdoc/en/chapters/security.xml diff -u phpdoc/en/chapters/security.xml:1.17 phpdoc/en/chapters/security.xml:1.18 --- phpdoc/en/chapters/security.xml:1.17Mon Jan 15 00:36:44 2001 +++ phpdoc/en/chapters/security.xml Sat Jan 20 11:13:22 2001 @@ -83,15 +83,15 @@ Usually some web server configuration directives (Apache: Action) are used to redirect requests to documents like filename - role="url"http://my.host/secret/script.php3/filename to the + role="url"http://my.host/secret/script.php/filename to the PHP interpreter. With this setup, the web server first checks the access permissions to the directory filename role="uri"/secret/filename, and after that creates the redirected request filename - role="url"http://my.host/cgi-bin/php/secret/script.php3/filename. + role="url"http://my.host/cgi-bin/php/secret/script.php/filename. Unfortunately, if the request is originally given in this form, no access checks are made by web server for file filename - role="uri"/secret/script.php3/filename, but only for the + role="uri"/secret/script.php/filename, but only for the filename role="uri"/cgi-bin/php/filename file. This way any user able to access filename role="uri"/cgi-bin/php/filename is able to access any @@ -125,9 +125,9 @@ to the configure script. You still have to make sure your PHP scripts do not rely on one or another way of calling the script, neither by directly filename - role="php"http://my.host/cgi-bin/php/dir/script.php3/filename + role="php"http://my.host/cgi-bin/php/dir/script.php/filename nor by redirection filename - role="php"http://my.host/dir/script.php3/filename. + role="php"http://my.host/dir/script.php/filename. /simpara simpara Redirection can be configured in Apache by using AddHandler and @@ -140,7 +140,7 @@ simpara This compile-time option prevents anyone from calling PHP directly with a url like filename - role="php"http://my.host/cgi-bin/php/secretdir/script.php3/filename. + role="php"http://my.host/cgi-bin/php/secretdir/script.php/filename. Instead, PHP will only parse in this mode if it has gone through a web server redirect rule. /simpara @@ -149,8 +149,8 @@ the following directives: /simpara programlisting role="apache-conf" -Action php3-script /cgi-bin/php -AddHandler php3-script .php3 +Action php-script /cgi-bin/php +AddHandler php-script .php /programlisting simpara This option has only been tested with the Apache web server, and @@ -199,21 +199,21 @@ linkend="ini.user-dir"user_dir/link. When user_dir is unset, only thing controlling the opened file name is parameterdoc_root/parameter. Opening an url like filename - role="url"http://my.host/~user/doc.php3/filename does not + role="url"http://my.host/~user/doc.php/filename does not result in opening a file under users home directory, but a file - called filename role="uri"~user/doc.php3/filename under + called filename role="uri"~user/doc.php/filename under doc_root (yes, a directory name starting with a tilde [literal~/literal]). /simpara simpara If user_dir is set to for example filename role="dir"public_php/filename, a request like filename - role="url"http://my.host/~user/doc.php3/filename will open a - file called filenamedoc.php3/filename under the directory + role="url"http://my.host/~user/doc.php/filename will open a + file called filenamedoc.php/filename under the directory named filename role="dir"public_php/filename under the home directory of the user. If the home of the user is filename role="dir"/home/user/filename, the file executed is - filename/home/user/public_php/doc.php3/filename. + filename/home/user/public_php/doc.php/filename. /simpara simpara parameteruser_dir/parameter expansion happens regardless of @@ -254,22 +254,6 @@ /sect1 - sect1 id="security.current" - titleKeeping Current/title - simpara -PHP, like any other large system, is under constant scrutiny and -improvement. Each new version will often include both major and -minor changes to enhance and repair security flaws, configuration -mishaps, and other issues that will affect the overall security -and stability of your system. - /simpara - simpara -Like other system-level scripting languages and programs, the best -approach is to update often, and maintain awareness of the latest -versions and their changes. - /simpara - /sect1 - sect1 id="security.apache" titleInstalled as an Apache module/title simpara @@ -406,7 +390,7 @@