PHP Security: Rekindle your PHP security fire

The topic of scripting security seems to last forever, and if you often go to a variety of bugtraq abroad, you will find that more than half of them are related to scripts, such as SQL Injection,xss,path disclosure,remote commands Execution such words abound, we looked after the use is only to catch chickens? For those of us who want to do web security, it is best to learn, but the root of all things, we do not want fish but fishing. In the domestic, a variety of PHP Program version 1.0, 2.0 version springing up like mushrooms, but, we are concerned about a number of well-known CMS, forum, blog program, very few people in those not well-known programs do security testing, for more and more PHP programmers and webmaster, In addition to relying on the server's fortress settings, the PHP program itself how much security you have to understand a little bit.

Some people say that your PHP security is nothing more than to engage in injection and cross station what what, a big mistake, if so, a MAGIC_QUOTES_GPC or server in some security settings let us all live: (. What I'm going to say today is not the injection, not the cross-site, but the security detail that exists in the PHP program. Ok! cut to the chase.

Pay attention to the filtering of some functions

Some functions are often used in programs, such as include (), require (), fopen (), fwrite (), ReadFile (), unlink (), eval (), and their variant functions, and so on. These functions are very practical, practical does not mean that you worry more, you have to pay for them more snacks. ：）

1.include (), require (), and fopen (), include_once (), require_once () can call files remotely, and for their harm, Google searches you will be very clear, for the contained call variables are not filtered well, You can optionally include files to execute them. For instance, look at print.php

...

if (empty ($bn)) {//check whether the variable $bn is empty

Include ("$cfg _dir/site_${site}.php"); To include the site_${site}.php in the $cfg_dir path.

...

Regardless of the existence of the $cfg_dir directory, $site this variable you can naturally use, because he did not check the $site variable AH. You can specify a remote file to call the variable $site, or it can be a local file, you specify the file to write the PHP statement, and then it will include the execution of the file containing the PHP statement. Like this.

Listing file Directories

It can even be extended to include some administrator files to elevate permissions, typically like a previously phpwind,bo-blog vulnerability. In addition to relying on the allow_url_fopen in php.ini to disable remote use of files and Open_base_dir prohibit the use of files outside the directory, you have to declare in advance what documents can only be included, there is no more nonsense here.

2.fopen (), file (), ReadFile (), OpenFile (), and so on are also the special attention of the place. The function itself is nothing, their role is to open the file, but if the variable filter is not complete, it will reveal the source code. There will be a lot of such functions in the text forum.

...

$articlearray =openfile ("$dbpath/$fid/$tid. php"); Open the $tid.php file for $dbpath/$fid this path

$topic _detail=explode ("|", $articlearray [0]); Read the contents of a post with a split character |

...

Look familiar, this is Ofstar previous version of the read.php, $fid and $tid did not have any filtering, $tid designated as a file submission, the original code leak occurred. Just like this.

Http://explame.com/ofstar/read.php?fid=123&tid=.. /index

$tid will be added to the PHP suffix, so write the index directly. This is just an example, then look at it.

3.fwrite () and its variant function this vulnerability is to think that the user submitted characters do not filter, write a PHP back door is not not.

4.unlink () function, some time ago, phpwind Delete the file is to use this function, for the decision whether to delete the variable does not filter, variable can be designated as arbitrary files, of course, can delete arbitrary file variables.

5.eval (), preg_replace () function, their function is to execute PHP code, if the string has not been filtered by any, what will happen, I often see some of the CMS inside use, think, a word of the PHP Trojan is not based on the eval () Principle of production?

6. For system functions, you would say that a system function is prohibited in the php.ini, which is a good way to do it, but like some programs, is that not necessary? Just like the last time I saw a nice set of PHP albums. In addition to Popen (), Proc_open (), Proc_close () functions you also have to pay attention to, although they do not execute the command after the direct output, but you think this is not the use of hackers. Again here PHP provides two functions, Escapeshellarg (), Escapeshellcmd (), which are used to counter call attacks on system functions, that is, filtering.

For the harm, for example, let's take a look at a forum prod.php

Modified $doubleApp = Isset ($argv [1]); Initialize variable $doubleapp

...

An if ($DOUBLEAPP)//if statement

15 {

$appDir = $argv [1]; Initialize $appdir

System ("mkdir $prodDir/$appDir"); Use system function systems to create a directory $proddir/$appDir


It was originally used to create the $proddir/$appDir directory, and then it appears that the program only detects the existence of $argv[1], lacks the necessary filtering of $argv[1], then you can

/prod.php?argv[1]=|ls-la or/PROD.PHP?ARGV[1]=|CAT/ETC/PASSWD.

(Split character | This is the pipeline parameter for UNIX, and you can execute multiple commands. ）

Here, the common types of vulnerabilities should know the point.