Re: Secure Coding for Newbies?

[Dave Aitel <dave () immunitysec com>]

Dave's Guide to PHP Security for Newbies
_______________________________________________________________________
_____

PHP's major design flaw, as far as security goes, is easily remedied
(and remedied by default in newer versions, if I recall correctly) by
setting register_globals to off. 

With that off, you have to also worry about include statements, which
can refer to URLS. This is also simply remedied by setting
allow_url_fopen to off in the configuration as well.

Ok, now what other problems can you have? Well, like all scripting
languages, your other main issues are going to be:

o Logic issues (did I forget to check auth on one of the pages?)
o Directory traversal issues (infile=../../../../etc/passwd)
o popen(),system() issues (infile=`sleep 50`) (or perl's open())
o SQL injection (query='SELECT * FROM users...')
o Session issues and data leakage 

Combating logic issues is impossible to automate, and session and data
leakage issues are nearly as difficult. (How do you write a program that
knows what data is "good" data to be seen by a particular user?) 

There are many programs to help you test your final site for directory
traversal, popen()/system() issues, and SQL injection. With careful
programming, you can avoid all these issues and still get the advantage
of PHP's quick and efficient web programming language.

Dave Aitel
Immunity, Inc.


Ok, so now you've set the two major PHPisms

On Mon, 28 Oct 2002 10:31:58 -0500
"Kevin Spett" <kspett () spidynamics com> wrote:

> Well, to start with, I think Perl is a bad language for web
> applications, and I think PHP is truly terrible.  There are serious
> design flaws in PHP(such as giving the client access to all variables)
> and that coding in it securely is annoying enough to make it not
> worthwhile.  In addition, it looks bad.  You've got HTML, JavaScript,
> application code and database code all in a single document, which is
> no fun at all.  Using JSP/XSLT, servlets and Java beans is a much
> nicer solution from many angles.
>
> But hey, if you want an easy-to-read guide to secure PHP programming,
> check this out: http://www.zend.com/zend/art/art-oertli.php
>
>
>
> Kevin Spett
> SPI Labs
> http://www.spidynamics.com/
>
> ----- Original Message -----
> From: "Joe User" <joeuser () blazemail com>
> To: <webappsec () securityfocus com>
> Sent: Monday, October 28, 2002 6:03 AM
> Subject: Secure Coding for Newbies?
>
>
> > Hi,
> >
> > I'm a beginner in PHP and Perl coding and would like a little help! 
> > I've written a few small scripts for personal use, but I want to
> > start writing scripts that will be used by / open to the public, and
> > want to write them with security in the forefront.
> >
> > I'm having a hard time finding specific, concrete examples of common
> webapp security problems and examples of how to avoid them.  Many
> sites say"validate user input" or "avoid path traversal" or "beware of
> include files" but don't give good examples of *how* I'm supposed to
> do these things!>
> > I guess I'm looking for something along the lines of "Webapp
> > Security for Dummies" as a building block.  Can anybody point to
> > useful resources for this?  The OWASP guide seems to be more of a
> > guide for competent coders who already know how to avoid the
> > problems listed.  :)
> >
> > Thanks!
> >
> > _____________________________________________________________
> > Fight the power!  BlazeMail.com
> >
> > _____________________________________________________________
> > Select your own custom email address for FREE! Get
> > you () yourchoice com w/No Ads, 6MB, POP & more!
> > http://www.everyone.net/selectmail?campaign=tag