Holes in PHP applications
PHP Code Execution
* require() and include() - Both these functions read a specified file and interpret the contents as PHP code
* eval() - Interprets a given string as PHP code
* preg_replace() - When used with the /e modifier this function interprets the replacement string as PHP code
Command Execution
* exec() - Executes a specified command and returns the last line of the programs output
* passthru() - Executes a specified command and returns all of the output directly to the remote browser
* `` (backticks) - Executes the specified command and returns all the output in an array
* system() - Much the same as passthru() but doesn't handle binary data
* popen() - Executes a specified command and connects its output or input stream to a PHP file descriptor
File Disclosure
* fopen() - Opens a file and associates it with a PHP file descriptor
* readfile() - Reads a file and writes its contents directly to the remote browser
* file() - Reads an entire file into an array
Configuration
* Set register_globals off - This option will stop PHP creating global variables for user input. That is, if a user submits the form variable 'hello' PHP won't set $hello, only HTTP_GET/POST_VARS['hello']. This is the mother of all other options and is best single option for PHP security, it will also kill basically every third party application available and makes programming PHP a whole lot less convenient.
* Set safe_mode on - this introduces a large variety of restrictions including:
o The ability to restrict which commands can be executed (by exec() etc)
o The ability to restrict which functions can be used
o Restricts file access based on ownership of script and target file
o Kills file upload completely
This is a great option for ISP environments (for which it is designed) but it can also greatly improve the security of normal PHP environments given proper configuration. See the Safe Mode manual page for details.
* Set open_basedir This option prevents any file operations on files outside specified directories. This can effectively kill a variety of local include() and remote file attacks. Caution is still required in regards to file upload and session files.
* Set display_errors off, log_errors on This prevents PHP error messages being displayed in the returned web page. This can effectively limit an attackers exploration of the function of the script they are attacking. It can also make debugging very frustrating.
* Set allow_url_fopen off This stops remote files functionality. Very few sites really need this functionality.
No comments:
Post a Comment