WebApp Sec mailing list archives
Re: Anyone have some basic security tips for PHP-programmers?
From: "James Mitchell" <reductor () askmiky com>
Date: Sat, 22 Nov 2003 09:27:06 +1100
Hello, For your first block of code, I recommend you use this instead: foreach($_GET as $k=>$v) { $v=addslashes($v); $v=str_replace(';','',$v); $_GET[$k]=$v; } And the same for _POST, how ever this will not absolutely prevent it. One method of detection would be the following, how ever its not completely fool proof, but helps. foreach($_REQUEST as $k=>$v) { if(strpos($v,'1=1')!==false || strpos(strtoupper($v),'UNION SELECT')!==false) { // Set a session or something here, to monitor this users activitys. } } This will mean when people attempt stuff, you will be watching them and know who they are. For your function, system I recommend the following. $valid_funcs = array('main','contact','services','whatever'); if(!isset($_REQUEST['func']) || (!in_array($_REQUEST['func'],$valid_funcs))) { $_REQUEST['func'] = 'main'; } call_user_func($_REQUEST['func'],$_REQUEST['ARG1'],$_REQUEST['ARG1_VAL']); Thanks, James Mitchell ----- Original Message ----- From: <arek () chelmnet pl> To: "James Mitchell" <reductor () askmiky com>; <webappsec () securityfocus com> Sent: Thursday, November 20, 2003 11:50 AM Subject: RE: Anyone have some basic security tips for PHP-programmers?
Your first code block: 1. Request Variables, containing variables will be evaluated. (e.g. $config[mysql_pass]OK, so we should to escape or drop $,,,[,],etc...2. The keys will not be escaped(file.php?a%3D1%3B+print+file_get_contents%28%22%2Fetc%2Fshadow%22 %29%3B+%2F %2F=hacked)Hmm,3. Your setting globals, easy to overwrite things (file.php?_SERVER[REMOTE_ADDR]=127.0.0.1)I tried that -this is not vunlereable ...Your second code block: 1. file.php?FUNCTION_INIT=file_get_contentsl&ARG1=/etc/shadow&ARG1_VAL=0Yea, thanks, i forgot about php specific functions that can be NITIATED... - must validiate that step. that's really big BUG...A few things. 1. ; is not used in mysql_query 2. eval is slowhow then you evaluate your result in case when you need to use fragment of other variable as your variable ?3. Globals are badwhat you use instead ??? cookies ? i put in globals after every login the user preferences , not to check it every time he goes on site,,, and ofcourse the cookie size is too big. in global array i have specific columns permition of R/W/X, related on
every
type of menu function in R/W/X too, and / or his web page preferences
(which
column to hide, which to show) how other way to do that ? i think that globals are fast, and faster than SQL... ? so do you prefer to what? creating dynamic of splitted temporary files
for
every logon with needed and authirized variables , with correct ammount
for
every type of needed request in them? A.Binder
Current thread:
- Anyone have some basic security tips for PHP-programmers? Matthews, Chris (Nov 14)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- <Possible follow-ups>
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 24)